Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

While this example is explicitly asking for a port (thus a copy), I also find in general that LLM's default behavior is to spit out new code from their vast pre-trained encyclopedia, vs adding an import to some library that already serves that purpose.

I'm curious if this will implicitly drive a shift in the usage of packages / libraries broadly, and if others think this is a good or bad thing. Maybe it cuts down the surface of upstream supply-chain attacks?





As a corollary, it might also increase the surface of upstream supply-chain attacks (patched or not)

The package import thing seems like a red herring

reply


It's going to be fun if someone finds a security vulnerability in a commonly-emitted-by-LLMs code pattern. That'll be a lot harder to remediate than "Update dependency xyz"

reply


> if someone finds a security vulnerability in a commonly-emitted-by-LLMs code pattern

how do you distinguish this from injecting a vulnerable dependency to a dependency list?

reply


You can more easily check for known-vulnerable dependencies

reply


Right, but if you can embed bad packages in LLMs, you can surely embed any kind of vulnerability imaginable.

reply


I'm not thinking about deliberately embedded vulnerabilities, just accidental/emergent ones. The modern equivalent of devs copy-pasting stackoverflow answers that happen to contain SQL injection vulns.

reply


Does the distinction make any difference?

reply


Yes, you'd take different actions to avoid each.

reply




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: