For those who don’t know, “tridge” is legendary.
He casually reverse engineered Microsoft’s SMB protocol, creating Samba, back when windows file sharing was a key part of Microsoft’s lock in. He also isn’t just the maintainer of rsync, he invented the algorithms it uses. People who worked with him consider him a genius and a guru.
How much you want to bet he’s just bombarded by the “ai security reports arms race” I saw on here a couple days ago, where people use LLMs to find security holes in open source projects (likely a form of ‘fuck the dev’ training)? I mean, for hundreds of reports to come in, some of which I’m sure are legitimate, is overwhelming to a team… and he’s just one dude.
Edit. Looks like I may have been right. User Chairman Meow posted an excerpt from Discord that basically says that. Even legends get lonely, it seems.
Yep. A solo dev working on a project. Legitimate security flaws found by people who don’t know much of anything about coding, but can prompt an LLM. They don’t even understand the bugs they’re submitting, so if he has questions they can’t help.
His choice is either to spend all of his free time trying to patch these bugs, or to look for help. It’s very hard to find help as a solo dev on an unsexy but essential tool. So, he turned to LLMs to help. And, who knows, maybe he’s able to use them slightly more responsibly than other devs. But, LLMs almost inevitably lead to their own bugs because LLMs are always confident, and are designed to produce something that looks as much as possible like real working code, but without any actual thought or analysis behind them.
Which makes it all the more disturbing that he has turned to slopmachines.
If you read the discord chat logs, it makes sense. He’s being bombarded by security vulnerabilities discovered via LLMs, from people who barely know how to code and can’t even explain the flaw that their LLM discovered. He’s a solo maintainer, and his choice is either to leave these security vulnerabilities open, or to turn to LLMs to try to keep up with the need for patches.
I don’t think he made the right choice, but I think he’s probably a much better programmer than me.
I don’t think he made the right choice, but I think he’s probably a much better programmer than me.
I’m a senior dev that works with LLMs these days and been running dozen people teams before and reading slop code is a skill that needs to be built through months/years of work no matter how good of a programmer you are - it’s a different skill set.
This is about to be a big thing. LLMs are very good at finding exploits and creating scripts to exploit them. Now a script kiddy is much more powerful. Companies are trying to figure out how to respond. Red Hat’s Project Lightwell is one such project.
I wonder about the timing of this. I just got a backup NAS out at my mom’s house some miles away and for one or two beautiful days I was sending Rsync differential backup jobs through the vendor interface for backups over Wireguard. The NAS is still on my network over WG, comes back up in that way after a reboot…but for the last week, those backup jobs just break with a useless error. I haven’t had the time to look under the hood at logs but I’ve been assuming this was slopping config on my part cause I’m new at it. But it would almost be a relief if it was just a bad update (before the graver implications of the situation set in on my mind). I wish I had enough background in this stuff to be useful, but I’m just a bystander and a grateful, useless end user.
Just gonna copy what tridge said:
bottom line is if you want to be useful then pick holes in the test suite, find things it doesn’t cover, find interactions between options it doesn’t pin down, report those and offer fixes for that.
Why ask for forks or alternatives?
B-but… I want to RAGE against the machine, not work!
rsync is thirty years old. It has been mature and reliable. But now we’re victim-blaming someone that hasn’t (yet) cleaned up somebody else’s mess?
It’s FOSS, the author doesn’t owe you anything.
That’s quite a strawman you’ve framed, or at best a non sequitur.
You may not like it, but this is what 10x productivity looks like.
This is negative productivity. It worked before, and now it doesn’t.
But when it worked there was no work being done. The repo just stayed there, working. Doing nothing.
A few LLM commits have kickstarted the process of a lot of people checking their rsync versions, choosing the correct one. And so on. That is work that wasn’t being done before, and now it is done thanks to LLMs. Truly a wonder of our times.
Reminds me of that Douglas Crockford talk on managers. I’ll see if I can dig it up.
I wonder what he thinks about LLMs.
Okay, I imagine that using an LLM is like having several Tasmanian Devils on your team.
Move fast and break things. Features over stability.
Makes sense for a lean startup. Not so much for a widely used utility for backing up important data.
What is it about LLMs that makes so many devs’ brains melt?
Studies have already shown that the moment you start relegating code to LLMs you kinda just start using them as a crutch even if you don’t need them.
Staff Engineer here. Our CTO told us in March two things. One, if we didn’t get on board with AI then we would be unemployable in 3 months and two, we had to use AI for everything. Literally everything. I asked (as a senior engineer of 19 years) if that included simple bug fixes I see that take minutes vs 30+ describing the problem. The answer was “absolutely”. Our budget is $400K /month to Anthropic and we exceeded that 3 weeks into May
It’s always the damn suits.
Pump those numbers, make them regret the decision.
Also that’s an insane budget for AI.
I’m doing my part!
Unfortunately “doing your part” is making the AI companies look like they have revenue just before IPO.
Yeah until CTOs start to realize that they spent the budget to double the workforce on tokens while producing nothing of lasting value. Nobody profits from LLM code except LLM companies.
That’s my hope anyway…
Our budget is $400K /month to Anthropic and we exceeded that 3 weeks into May
Fucking hell, that’s so much money to burn on management’s AI addiction. Have to wonder how your finance department feels about burning almost half a million a month.
Also, wild that management is telling you that not letting your skills degrade by handing everything off to an AI is what’ll make you unemployable.
They think once the ball is rolling, then they can phase out the humans.
They think that AI usage is like training a junior dev, that it starts out hopeless but over time can operate without the expertise.
They don’t realize that invoking AI doesn’t work that way, that the context window is the only accumulation of anything germain to your codebase, and that the model doesn’t evolve based on that interaction.
So they don’t care about the skills, they want to get to the point where they can toss a prompt into Claude and have it all taken care of, thinking that their employee usage of it somehow accelerates that outcome.
Oh look, finance has a friend in the other company. This is classic corruption: order shit from your friend’s business and pretend it was necessary.
That’s just a handful of enthusiastic interns, except that you aren’t investing in cultivating future talent…
Burn that budget. Make the CFO pull their hair out when they look at expenses vs revenue. For once, bean counters might save us from this BS.
If they’re anything like my company’s executive team, they’re using AI to make their decisions too. They’re being spoonfed the issue isn’t AI underperforming, it’s you.
They’ll soon fire you first before capitulate on the notion their AI implementation sucks.
The bean counters will maximize their personal profit. You think they can’t game the AI bubble?
but that would just cause the entire company to implode (scorpion and frog dot jpeg)
Gaming the AI bubble is difficult when you’re a customer.
Ours said the same thing back in December. Our principal engineer said we had to start using the chatbot for all coding.
I’ve tried it but at some point it gets faster for me to do it myself 50% of the time. And some of the other times it’s just flat out wrong. The times it gets it right are great; but I hate feeling like I’m relying on a slot machine for my job.
I just started using it just to commit and for PRs to make it look like I’m using it all the time. Burns tokens and execs can’t tell the difference.
Towards the end of the month I just start generating mindless crap so I don’t get “dinged” for under-using AI.
The rest of the month I always set the model to the most expensive to try to naturally burn through my quota and get marginally less annoyed by the even worse suggestions from the default models.
Since burning through tokens really involves letting it invoke commands, I don’t really burn that much naturally since I don’t like reviewing and approving commands and I’m sure as hell not going to let it just run comands at will.
400k a month is quite a bit of GPU power. I do not understand why software companies aren’t at least offsetting their Claude usage with open source models running on their own hardware. It seems like a no brainer. Opus is really good but most tasks aren’t that complex and a smaller model will work just as well.
Because no one ever got fired for buying IBM.
Removed by mod
Sometimes I’m sad I quit software development as a job. So much room for malicious compliance with this AI bullshit. And if something goes wrong you can just blame it on the AI you were forced to use. The fun I could have had…
deleted by creator
Removed by mod
Here it seems like panic in the face of things like the CopyFail/DirtyFrag/Fragnesia/ssh-keysign-pwn stuff.
That if he didn’t let AI ‘fix’ the issues it can find first, then someone will hit rsync with devastating CVEs.
Problem is he saw that the tool was offering to ‘fix’ things that perhaps weren’t quite right and saw a credible proposal to implement fixes, but the fixes were for bugs no one cared about or noticed and weren’t security related, but incurred side effects that people did notice.
If you have a non-security bug that’s been in place since 2019 and the only thing that noticed was an LLM analysis of your codebase, it may be best to let sleeping dogs lie…
People lazy.
Removed by mod
I’m starting to think that I don’t want to use Arch anymore and thus always be among the first to get all the new slop.
And now with supply chain attacks being all the rage it’s like being in a convertible with its top down tailgating a flatbed filled with portapotties.
Debian ftw
Debian + KDE Plasma got me to switch over from Mint. It just feels right.
There have been a LOT of updates recently though. Normally I update pretty often because part of the reason for using Debian is my expectation that an update has been pretty thoroughly vetted before it gets pushed out to stable, and that stability/reliability is one of the priorities of the distro.
I just hope that holds true, and that if LLMs are involved it’s those cases where they stumble upon an obscure security flaw that humans confirm.
Involving LLMs is not the problematic part, it’s having them write code that the maintainer doesn’t understand. Finding issues, suggesting optimizations, helping to write comments or commit messages are all perfect uses of LLMs for critical tools like rsync.
Sounds like the real issue is funding for the maintainers though.
There’s a downgrade utility for a reason lol. You always have that option and it’s not particularly hard to use. Most of the time it’s fine but yeah shit like this does happen from time to time.
The project’s issue tracker has been pretty wild recently, for example https://github.com/RsyncProject/rsync/issues/929
God both sides are toxic AF and here I am simply want to know if correlation is causation.
It is. Reading thus lemmy threads gives commits or links to other commenters. My fav is this one https://neuromatch.social/@jonny/116666900898570791
That’s a great post, that well displays the issues with AI tests! For my own personal curiosity I looked at the testing rewrite of rsync, specifically the chgrp_test because it was the smallest test I quickly found. If you look at the original shell script, all it does is call chgrp and then fail if it doesn’t work. In the Python rewrite on the other hand the LLM calls chown to change the group and only if that fails, it tests chgrp. So if for some reason chown works but chgrp would fail, the original shell script would easily catch that (cause why do you test for chown anyways) while the Python rewrite doesn’t even call chgrp in case chown works.
Even though, this might not be as much of a problem in practice, I think it illustrates that the AI tends to write tests where it already anticipates and tries to fix potential issues, which absolutely goes against the use of tests!
dont get tricked into thinking an LLM can encode “anticipation of a potential issue”
I think it illustrates that the AI tends to write tests where it already anticipates and tries to fix potential issues, which absolutely goes against the use of tests!
LLMs just generate “statistically probable” text, all it’s doing is generating text that looks like how you’d write tests, they may or may not actually test anything.
Lol this is hilarious! I want to see the prompt they used cause my god they didn’t think it through
I’m honestly not seeing two sides being shitty. I feel like I see people being shitty towards the developer and people being opposed to that.
Honestly what happened to language models is a shame. Good tools perverted to try and do every job. LLMs dont really have a place and eat up so much resources with what effects to a okay scaffolding tool in code, and a piece of shit liar everywhere else. I remember seeing this shit being used in medicine almost 15 years ago thinking thats gonna be a cool technology to we expand. It was fucken not.
Neural networking has so much potential in so many places, yet of course the industry collectively zoomed in on LLMs specifically and is trying to sell them as a panacea to the world’s problems.
As though a mechanical parrot knows anything about good coding practices, or literally anything outside of mimicking speech patterns.
My theory is it’s because LLM’s could talk directly to the C-suite.
My theory is it’s because LLM’s could suck up directly to the C-suite.
FTFY
I hate to admit it, but you could very well be onto something haha
Well, they’re both fluent in bullshit, so that checks.
The reason labs focus on LLMs is that language is a great substrate for generalization. Good luck trying to one-shot out of distribution problems using classic neutral networks. They’ve tried for decades to make it happen but LLMs surpassed those results in a few years.
Idk. LLMs don’t seem like a good solution because of how many resources they need to train and run compared to specialized models.
I know it’s in bad taste to quote myself but i wrote an explanation of why this isn’t necessarily a bad solution here
I understand that idea, but at the same time @placebo@lemmy.zip has a point.
There’s a good reason why you generally don’t get a CPU to do graphics and why FPGAs are usually only put on dev units.
Specialist hardware is generally much more efficient cost and energy wise than generalist hardware for a given task.
And I imagine that must be true for neural networks too, as that layer of language processing on top of any task naturally can’t be as efficient/performatative as specialist software/networks made for the job.
And I imagine that must be true for neural networks too, as that layer of language processing on top of any task naturally can’t be as efficient/performatative as specialist software/networks made for the job.
Oh yeah definitely, a specialized model for each task would be more efficient on the inference side but can you imagine the cost of training a million specialized models ? For example you could think of natural language processing as it was done before : one model for sentiment analysis, one model for chronological analysis, one model for identifying legal terms etc… need to classify color descriptions in natural language ? Well here you go train another model. A small model (comparatively) but also one you’ll have to re-train if you want to change the task even slightly.
A LLM has the advantage of being able to generalize a lot of different tasks on the same model, including some that are wildly out of distribution (meaning you hadn’t even thought of them and they are not explicitly stated in the training data). So yeah, you pay a big training tax to train one large model, but then it pays off because that same model can perform on a million different tasks.
At least that’s the thesis. I’m not qualified to judge whether it is proving worth it, but that’s the reason why the industry massively shifted towards LLMs.
you saw LLMs being used in medicine almost 15 years ago? was it something else because the the transformer model was invented in 2017
Not LLMs, it was their predecessor neural nets and just language models.
The slop continue until shareholders value improve
Almost all of the latest commits on the project now :/
https://github.com/RsyncProject/rsync/commits/master/
+14k SLoC, -6k SLoC, most of it in May. In software that’s mostly “done” and needs nothing else but bug fixes.
LGTM.
No other way to review long patches besides LGTM says only profession that keeps doing that
https://packages.debian.org/stable/rsync
Package: rsync (3.4.1+ds1-5+deb13u3)
slow and steady beybeee
get ready to be mad about it when 3.4.3 hits Debian in about 9 years
Oh great. We have 3.4.3 in testing, so uh, next stable will probably have it.
Or, you know, maintainers reject it.
It’s good to see AI sloppers already being confronted, dropped, and outcompeted.
It’s a bit sad since it’s the guy who has been doing this for decades and doing such a good job.
Now Claude comes along and he’s convinced he has to slop it up or else get trampled by AI security scanning efforts.
Yeah, the human story here is saddening. Worst part is it can end up being his legacy, decades of diligent work and one misstep in the eyes of (part of) the community and now his work will be considered trash.
I agree with the sentiment but I’m not following on this incident. Who is outcompeting tridge and making a better rsync?
Whoever gets there first if rsync literally stopped working.
This is a duplicate thread but sure, imma just copy paste from my previous comment.
Here’s the Discord dump for those who don’t want to join (Tor not allowed, sorry I don’t have a better file host, AI brought down 0x0.st). No further commentary.
[30.05.2026 10:05] andrewtridgell I reviewed it. The rsync project has been essentially a single developer project for about 20 years now [30.05.2026 10:06] andrewtridgell Wayne did it all himself for a long time, now I'm back doing it [30.05.2026 10:06] realketas why is it one man job, it seems like too complex for that [30.05.2026 10:06] realketas i can't even imagine [30.05.2026 10:06] andrewtridgell nobody else volunteers. Its the same story with thousands of open source tools [30.05.2026 10:07] realketas it runs entire planet, just one man does it eh [30.05.2026 10:07] realketas sad too [30.05.2026 10:07] andrewtridgell the linux kernel has thousands of paid full time devs. rsync has zero. [30.05.2026 10:15] andrewtridgell the most insane part is that security releases can't be community tested. Those security releases are going to be a huge part of lots and lots of open source projects for a while to come yet, just look at the rate of CVEs over the last couple of months, its gone nuts. You can't do a beta release of a security fix as its embargoed. So for the most critical fixes you *can't* have anyone else look at it. The people reporting the flaws mostly don't have the skills as they used AI to find the bugs. So the maintainer is the sole person to review the most critical security changes, and that is how the madhouse called the internet and IT security is designed. The only defence I have is to build the most comprehensive and accurate test suite I can, so when I need to deal with yet another security report I can at least quickly identify what else the fix breaks. Luckily I can do that work (the dev of the test suite) in public. [30.05.2026 10:22] andrewtridgell bottom line is if you want to be useful then pick holes in the test suite, find things it doesn't cover, find interactions between options it doesn't pin down, report those and offer fixes for that.Basically, it’s a solo dev being swamped by LLM security reports, and since those are embargoed only maintainers can review them… and since nobody else has volunteered, he has to do it himself.
He primarily used several AIs to rewrite the test suite from shell (slow, lacking coverage) to python (parallelised, improved coverage). He says he’s extensively reviewed everything, but I guess the suite doesn’t cover everything. And the test suite changes can be community reviewed.
The dev has been actively inviting people to join as a maintainer and poke holes in the test suite, but it seems nobody has stepped up. I can’t really blame the dev here, he just seems unable to keep up without others helping him out. He’s tried to use AIs as sensibly as he could, and I’m not entirely sure if it’s slop fixes that cause the issues (or if an “unassisted” fix would have caught it).
A very important question is being hypothesized here and I hope we all come to a conclusion sooner rather than later.
Is it better for a FOSS project to be abandoned because a single maintainer is overwhelmed? OR Should a single maintainer use LLM tools to continue a project they no longer are able to handle?
I personally see abandoned projects easier to pick up when left “as is” for someone to eventually come in. Doing massive amounts of ai code that eventually breaks the functionality (or presumably does), and then expecting people to come in to a larger shit storm seems daunting.
If you want to pick up this project you can take the last pre-llm version.
Or go work with the dev who is actively begging for volunteers instead of trying to make a whole new project.
Fact is there’s a bunch of 50+ engineers that have been looking after these fundamental components for a long time, and people aren’t coming through to hand things off too. It won’t be long before they’ll have come to the end of their working lives and things will be abandoned.
I would prefer they walked away rather than resort to LLM agentic coding.
I don’t want to put my trans ass out there to get brigaded by assholes so open source is not my thing. Massive respect to the people who put up with fossbros.
I’d have thought it would be an area where you could be viewed by the quality of what you do, and not anything else.
I might be being naive.
Yeah, sadly.
I see a lot of bitching in that thread but no offers to help maintain the project.
Doesn’t excuse slop in the slightest. An unmaintained or abandoned project is infinitely better than updating and corrupting the codebase with slop.
You should complain and get your money back.
I suppose the problem is that this was evidently brought on by trying to use AI to be proactive about security risks from AI findings. So an abandoned rsync would gather cves.
That said, it looks like he has used Claude to poke at bugs no one noticed, security issue or no. Like a promise about a combination of flags having a certain effect that didn’t happen. So fine, technically you didn’t live up to your man page, but no one complained, so maybe the risk of change isn’t worth the change.
If it’s a security issue, then… ok fine, you have to give it a try, but it looks like stirring things up to try to fix years of maybe not right, which is a risky proposition.
I suppose the problem is that this was evidently brought on by trying to use AI to be proactive about security risks from AI findings. So an abandoned rsync would gather cves.
It would gather CVEs, yes, but at least the codebase would not change so fast that even the maintainer themselves can no longer keep up with understanding all the changes. I’ve looked at a few commits and there’s way too many lines of code for the maintainer to have carefully reviewed and understood them all.
But an abandoned rsync would have two great advantages:
- it would give stronger support / user interest to a fork
- distros would not face the decision whether or not to upgrade to a version with slop in it
If it’s a security issue, then… ok fine, you have to give it a try, but it looks like stirring things up to try to fix years of maybe not right, which is a risky proposition.
Also - if a tool finds a security risk, then I want a human maintainer to wrap their head around the attack vector to come up with the correct patch to counter the actual attack vector. Slop machines have zero understanding, so if you need to put out a house fire with people in it, a slop machine might as well drain all oxygen from the air. The fire will be gone after that. But so will the people.
…and a lot of the “security issues” being found by LLMs are not viable attack vectors. For example: in the case of rsync they just terminate a connection with no server-side effect.
Of course, there’s that as well. And self-appointed “security researchers” auto-scanning repos and creating tool-submitted issues about “vulnerabilities”, wasting dev time.
“Coding assistants” have to be considered what is the most likely intent: a large-scale attack of megacorporations on the open source community, and the gullible people who use them should be treated as agents of a hostile corporation.
Funny you use that analogy because I once worked in a factory where if a fire didn’t get you, the fire suppression system that was basically just a few tanks of CO2 would when it pushed all the breathable air away. No AI involved at all, just a bunch of people that cared more about the equipment than the people (or were willing to go to any means to keep any fires from spreading to the offices).
No point here really, other than maybe you’re overestimating people with that analogy.
Edit: also, when there’s community pressure to fork a project that already isn’t getting much help, I’d expect the ones who just want an AI to do it would be more likely to step up. Taking over a fork is more work than contributing to one someone else owns, though some might be attracted to that control (which may or may not work out for everyone else).
Which commit was the slop that caused the issue?
It’s not like bugs didn’t happen before AI, so to be so confident it’s slop that caused the issue you surely know which commit caused the issue?
I’m incredulous about the direction of AI development tools, but this whole thing is turning into attacks on the guy and acting like bugs didn’t happen before AI.
It looks like one of the issues is around openat2 which has only been around for 6 years or so. Rsync assumes that it’s available and has no fall back. I’m not sure what openat2 is or what was used before or why the change was made. I’m guessing it was an error but as ai was deemed to be involved everyone lost their shit
Are you sure you want dumbasses like me to contribute? I thought we hated enshittification? (This goes for AI code too)
Enshitification is more about adding shitty anti-features than sucking at maintaining something. A codebase falling apart due to AI contributions should be called something else, like slopification. There might be an older term for codebase losing quality because of incompetent maintainers.
I guess OpenRsync is the answer now
Aight, what’s the fork?
This showed up earlier in my feed.
Brilliant! Hadn’t thought of using a BSD utility!
The funny part is how people are so willing to jump from one thing they perceive as slop, to an entirely different thing they’ve never audited yet now somehow trust. 🤪
There’s gotta be a good market for hackers just forking and promising no AI to bring in all the reactionary suckers.
It’s included in OpenBSD and MacOS. It’s not just some random fork.
Oh this market already exists don’t worry. Especially for load bearing software like rsync the potential is enormous and it’s not lost on the bad actors.
Such a dumb take. We trust (or don’t trust) the maintainers, not the software qua software. You think that’s a typo and that’s fine, ask your fucking friend about it, it knows. Idiot
They’re gonna us AI next week. Where will you go after that?
The next fork that fucking doesn’t, that’s how open-source works
That’s gonna be drawer of dirty forks eventually maintained by unqualified people
Should be named ssync
If it’s written in Python
They’ll keep going until they get to X and then start adding numbers, before they just toss the whole thing and build something else
