[7e]

Companies like Anthropic and OpenAI need to sponsor open source projects by giving them free agent credits. Otherwise, bad actors can just outspend and totally overwhelm the somewhat dim and very overworked set of human maintainers. Humans in software are obsolete, full stop.

[micaeked]

Both already do that. The AUR stuff is more of a policy issue and unmatched expectations, unrelated to llms imo

[thewebguyd]

> The AUR stuff is more of a policy issue

Yes. This has happened before, a few times, before LLMs were even a thing. Via the same mechanism as well (someone else adopting an orphaned package). The big one I'm remembering was in 2018.

Outside of that mechanism though, anyone who uses the AUR regularly knowingly accepts this kind of risk. It's why I'm not a huge fan of distros (like Cachy, Endevaor, etc) that take Arch and package it up in a one-click easy installer with preinstalled AUR helpers. Cachy even uses the chaotic AUR too (auto build service for AUR packages to serve binaries). I like CachyOS, but good lord don't put in Yay + the AUR by default.

The ability for any registered user to just adopt an existing orphaned package is a problem (these attacks will always exist, but least force a fork & resubmission under a different name), and so is the use of automated AUR helpers that don't show PKGBUILD diffs.

The hygiene required to use the AUR is no different than the hygiene required to use pip, npm, cargo, etc. Anyone just blindly trusting user submitted packages and code from the internet is not operating with security in mind.

Adopt a policy of zero trust from any arbitrary code you download from the internet.

[Krutonium]

For what it's worth with regard to the Chaotic AUR, there's claims I've seen that they do vet packages updates going into it before they're actually built.

[cyphar]

Well, both give you 6 months of access. Out of interest I applied some time ago and (despite maintaining a few fairly important OSS projects) never got a response from them. Of the other maintainers I know, it seems to me that they decide who to give access to fairly randomly.

[DANmode]

Wonder how dependent it is on social following.

[senectus1]

lol

They're already running at a significant loss. giving out more free stuff isnt going to help.

What they really need to do is charge what it actually costs them. That will slow down the abuse a little.

[Krutonium]

That will also make it entirely unfeasible for anyone to use their services. The cost of the tokens you could burn on a $200 plan is in the neighborhood of $1200. They're getting users now and gambling on the cost of compute (or the difficulty of compute) dropping precipitously before they run out of cash.

[senectus1]

absolutely agree.

I think what will happen is you'll get 3 or four "Tiers" of AI.

Tier 1: Big Corpo's, Govornments and soverign wealth institutions. Top of the line and dangerous AI, very likely to be abused and used to enrich the already powerful.

Tier 2: Enterprise level AI, Rich local Gov and rich individuals might have these. maybe also SAAS providors will tap into this. Functional but not really smart like Tier 1.

Tier 3: Community AI. Small business etc will use this. basically automated orchestration

Tier 4: Home AI.

I think this is where we're headed. and this is of course after the bubble pops and we get an economic crash because of the popping. (other events going on in the world and various economies and political scenes.)