Hacker News new | ask | show | jobs
by baliex 21 days ago
I 100% agree with the "please don't fuck up this stable & reliable workhorse" sentiment.

I haven't read this in detail but "Six CVEs are fixed in this release. All six are assigned by VulnCheck as CNA. Affected versions are 3.4.2 and earlier in every case." seems like a pretty solid answer to the "why".

https://download.samba.org/pub/rsync/NEWS#3.4.3
1 comments
mattbee 21 days ago
But there's been security fixes in most releases of rsync!

Even then, why would a security fix be some kind of strike against AI? We've all seen LLMs being used to tease out the most serious and obscure bugs in C codebases. I'd expect to see a lot of security fixes for an ancient, well-used codebase when an LLM analyses it.

Where is the slop commit here? And why is that commit evidence that tridge has lost his mind to the machine? https://github.com/RsyncProject/rsync/commits/master/

link
izacus 21 days ago
The part you're missing is that those "fixes" broke a lot of existing functionality.
link
androolloyd 21 days ago
Bugs are bugs and need fixing. How dense can people get.
link
hdgvhicv 21 days ago
Regressions are bad and need to not happen.
link
krcz 20 days ago
Regressions are bad and they should be avoided. Still, software engineering is a complex thing and regressions happened long time before coding agents were a thing. Unless one can pinpoint regression to changes that were more sloppy than the human-written rsync commits were I don't think coding agents are to blame.
link
cbm-vic-20 20 days ago
Seems like that it's not that coding agents are to blame, its that the people who are ultimately responsible for committing and merging the offending code are to blame, regardless of its origin.
link
Lerc 20 days ago
Would you hold off on fixing a security vulnerability if it caused a limited regression?

Regressions should be fixed expediently, but if you apply the criteria "need to not happen" they are literally blocking issues. They could then block security fixes.

link
izacus 20 days ago
Which part of security fixing demands thoughtless generation of code slop without regression testing though?

I worked on major OSS projects and we never just blindly pushed out untested poor quality code for security fixes since that adds WORSE security regressions.

link
dash2 21 days ago
Parent is agreeing with you.
link