Whatever you do, don’t congratulate yourself too much.
Or berate yourself either.
Your choices are half chance.
So are everybody else’s.

~ Baz Luhrmann

xkcd #612

…move fast and break things?

To be fair, they’ve been doing mobile surveillance for a long time.

You take that back.

OK, sure, but again the claim was:

there is no problem in keeping code quality while using AI

Whether or not human-written code also requires review is outside the context of this discussion, and entirely irrelevant.

OK, sure, but again the claim was:

there is no problem in keeping code quality while using AI

Whether or not human-written code also requires review is outside the context of this discussion, and entirely irrelevant.

Oh, it’s not, the difference is that the SVG is an unexpected delivery vector.

The script on a website might change over time, might be blocked by an extension like uBlock origin that prevents sections of web code from loading in the first place. You can block a website’s JS with an extension that specifically does that, like jshelter. A malicious SVG is static, the malicious code is malicious forever and is embedded in the file. A browser extension can’t selectively block pieces of the file from loading.

Script blocking extensions prevent web page code from loading, but they don’t prevent the application from executing JS. If you open an SVG, the file is downloaded locally (it’s not web code) and the JS in the file will execute locally, with the same permissions and file system access as the user opening the file.

Yup.

There’s always value in understanding risk, and in limiting it.

the security risks associated with JavaScript are not typically seen as significant since your filesystem is not accessible and most any other vulnerable data isn’t either for that matter

heh, heh… ha ha ha…

go on mate, pull the other one!

Rowhammer is unfixable, by the way, until someone invents a replacement for DRAM.

Yes, actually I use jshelter to block script and selectively allow it per website.

YSK: SVG files are a security risk. Be careful where you get them from and how you handle them.

Basically, an SVG can contain JavaScript. If you open an SVG in an application that can interpret the JS (e.g. a web browser) then the script will execute (just as with a malicious PDF), at which point it could download other files (malware) or perform any other function that the application has access to (creating, editing or deleting files on the hard drive) because you gave it permission to do that by opening the SVG. Effectively opening an SVG in a JS-capable application is the same as allowing a stranger to run arbitrary code on your computer. You might as well go around the Internet wearing a “please hack me” sign.

Downloading an SVG to your hard drive directly should be relatively safe, and opening it in a graphics program that does not execute JavaScript should have no risk, but viewing random SVGs in a web browser is a real hazard.

I’m sorry, what exactly do you think this conversation is about if not using AI for code generation?

No, I want worker protections, regulatory enforcement, and broad public distrust of the exploitative owner class who are using AI to extract more wealth while destroying the environment we all live in.

Patronizing “AI” systems is collaboration with the worst garbage of the human race, the robber barons who are comfortable killing people for quarterly profits.

People like Peter Theil, Elon Musk and Sam Altman.

So don’t accept code that is shit. Have decent PR process. Accountability is still on human.

If this is necessary then there is, in point of fact, a “problem in keeping code quality while using AI”.

Every person in every industry in a rush to replace the work of creative people with output from machine learning models can fuck right off.

Every consumer who is content with products made by such people can also fuck right off.

there is no problem in keeping code quality while using AI

This opinion is contradicted by basically everyone who has attempted to use models to generate useful code which must interface with existing codebases. There are always quality issues, it must always be reviewed for functional errors, it rarely interoperates with existing code correctly, and it might just delete your production database no matter how careful you try to be.

You’re right, there’s a lot more delusional people with money riding on this line going up.

Wait, which ones?

Are we literally at the “Thank me for abusing you” stage?

Wow.