Hacker News new | ask | show | jobs
by MangoToupe 183 days ago
As a corollary, it might also increase the surface of upstream supply-chain attacks (patched or not)

The package import thing seems like a red herring
1 comments
Retr0id 183 days ago
It's going to be fun if someone finds a security vulnerability in a commonly-emitted-by-LLMs code pattern. That'll be a lot harder to remediate than "Update dependency xyz"
link
MangoToupe 182 days ago
> if someone finds a security vulnerability in a commonly-emitted-by-LLMs code pattern

how do you distinguish this from injecting a vulnerable dependency to a dependency list?

link
Retr0id 182 days ago
You can more easily check for known-vulnerable dependencies
link
MangoToupe 182 days ago
Right, but if you can embed bad packages in LLMs, you can surely embed any kind of vulnerability imaginable.
link
Retr0id 182 days ago
I'm not thinking about deliberately embedded vulnerabilities, just accidental/emergent ones. The modern equivalent of devs copy-pasting stackoverflow answers that happen to contain SQL injection vulns.
link
MangoToupe 182 days ago
Does the distinction make any difference?
link