[blurbleblurble]

Maybe he got notified from the mythos team of a bunch of vulnerabilities and then followed up using claude. Doesn't seem that unlikely.

What would you do if suddenly there were a dozen exploitable CVEs in your highly used open source project staring you down? Maybe you'd use the tool that found them to patch them as quickly as possible.

[kelnos]

I am absolutely willing to give tridge the benefit of the doubt here, but a note on what you said: I don't think you should ever patch a CVE "as quickly as possible". You should do it slowly, be very sure of the change, and test the hell out of it. You can easily introduce a new security vulnerability by rushing something like that.

[blurbleblurble]

Good point. I just can't imagine the urgency and pressure I'd feel.

[threecheese]

Looks like at least one of these issues was from a CVE [0], they don’t call out Mythos specifically though (“security researchers”). Many teams are sprinting on security issues atm (including mine, who put all product priorities aside two sprints ago), it must suck to be responsible for high-visibility/high-risk projects like rsync right now.

0: https://github.com/advisories/GHSA-pfv9-gp3h-73xv