Hacker News new | ask | show | jobs
by asdfasgasdgasdg 2 hours ago
"it's just text on stdout"

There is an intent to cause harm and a reasonable expectation of achieving that intent. And at least if the github issues are to be believe, a successful actuation of the intent in at least a few cases.

The delivery mechanism is interesting for its novelty but I don't think it fundamentally changes how the library should be classified. Conditional malware, maybe?
2 comments
PunchyHamster 2 hours ago
I wouldn't consider lib deleting itself as malware. User is not entitled to code they ignored main repo's page and docs.

Tho not putting it in the license is stuff to criticise for sure, that's the place for it and it would make lib not open source.

link
asdfasgasdgasdg 2 hours ago
"I wouldn't consider lib deleting itself as malware"

At least according to the prompt, the library was attempting to delete not just itself, but all tests that depend on it. I do think if the prompt was solely scoped to removing the dependency on the library, it would be somewhat more defensible. Even better if he suggested an alternative!

link
vkou 2 hours ago
If a line of text like that can cause tangible harm, why are you pointing your LLM at unvetted code? As an engineer, you're downright negligent to do so.
link
asdfasgasdgasdg 2 hours ago
I think it is extremely rare to vet every single line of one's dependencies. Especially lines that are intentionally hidden from the terminal using escape sequences. Do you review the diffs of all projects you depend on to check for the injection of malware? If so, my hat is off to you and also how do you get anything else done?
link
vkou 1 hour ago
Then why are you letting a machine you don't understand perform side effects that you don't vet, based on it's insane interpretation of untrusted data?
link
asdfasgasdgasdg 1 hour ago
Sorry, I just don’t think this is a tenable or realistic way to approach dependencies in this day and age. If it works for you then I’m happy for you tho.
link
yjftsjthsd-h 38 minutes ago
> Then why are you letting a machine you don't understand perform side effects that you don't vet, based on it's insane interpretation of untrusted data?

I mean, you posted this using a browser, right?

link