4 comments

  • tosti49 minutes ago
    Who the F* runs a minimizer on friggin C sources? And it&#x27;s inconsistent too.<p>Security-related code should be readable and auditable.
    • Arch-TK21 minutes ago
      &gt; inconsistent<p>I have a strong feeling that this person just likes this as a style and enforces it by hand…
  • SwellJoe1 hour ago
    I don&#x27;t think I&#x27;m ready to trust very security sensitive functions to pure vibe-coded software, and that&#x27;s what this <i>seems</i> to be? Certainly the README is authored by an LLM, and there&#x27;s a gazillion empty commits and other weirdness that indicates no human is in the loop. It looks like a loop engineered this software.<p>Models have gotten good, but c&#x27;mon. Good idea, maybe even a good implementation, but I don&#x27;t have confidence in it, and you&#x27;ve got to have confidence in a project that claims to provide security.<p>Also, even the best models still regularly write C security bugs. It doesn&#x27;t make sense to have a model write C code when having it write in a memory safe language is only slightly more effort&#x2F;cost.
    • gchamonlive1 hour ago
      How you type is a poor proxy for code quality. Code quality is a good proxy for code quality. Inspect the code, build a verification pipeline for it, use agents to explore the code and the architecture, see if you can unearth anything fowl.
      • SwellJoe46 minutes ago
        I&#x27;m not judging based on how they type. I can&#x27;t see how they type, they vibed the README.<p>And, it&#x27;s not my monkey. You can inspect the code, build a verification pipeline for it, use agents to explore the architecture and see if you can unearth anything fowl.<p>My heuristic is to dismiss purely vibe-coded apps from people I don&#x27;t know, particularly for security sensitive stuff. If the README is written by a human and is coherent and exhibits some kind of desire and competence to make good software on the part of the author, I&#x27;m more likely to trust they drove their agents with care.<p>Here&#x27;s the thing: you can make good software with agents, if you exhibit good judgement and put yourself in the path as a gate on quality. Too many clues point at this being loop engineering. And, C for this task, given 100% agent authorship, gives me the ick. Seems like bad judgement or opting out of making judgement calls.
        • gchamonlive29 minutes ago
          Took a look at the readme and seems coherent enough. A readme is also a technical entrypoint, no problem in parts of it being generated, specially if you have quick start, tables and loose documentation there you need updating.
      • zamadatix47 minutes ago
        How big a video file is a poor proxy for the encode, quality is a good proxy. The problem is finding the actual quality of a video file is a hell of a lot more work and resources than using a proxy to see if doing so is a good use of our resources. See if you can go the extra mile you described for a few hours&#x2F;dollars tonight and let us know what you find, it would be appreciated!
        • gchamonlive31 minutes ago
          I do for projects I have interest in running and for my own projects. For instance I had agro with <a href="https:&#x2F;&#x2F;github.com&#x2F;Mord3rca&#x2F;gamma-launcher" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;Mord3rca&#x2F;gamma-launcher</a> so I pulled my trusted agent, hammered the code with architectural and static analysis and made it my own here <a href="https:&#x2F;&#x2F;gitlab.com&#x2F;gabriel.chamon&#x2F;yagi" rel="nofollow">https:&#x2F;&#x2F;gitlab.com&#x2F;gabriel.chamon&#x2F;yagi</a>
      • yjftsjthsd-h48 minutes ago
        It&#x27;s not &quot;how you type&quot;, it&#x27;s &quot;whether any human so much as laid eyes on the code&quot;. I wouldn&#x27;t automatically discard code from an LLM, but let&#x27;s put the goalposts where they actually are.
        • gchamonlive31 minutes ago
          How do you know nobody laid eyes on the code in the project?
          • SwellJoe8 minutes ago
            Have you look at the commits? A bunch of empty ones (seemingly all empty ones, though there must be some real ones in there somewhere). It&#x27;s a bizarre looking repo. I don&#x27;t even know how you make a repo look like that, but it certainly doesn&#x27;t allow tracing of what code was added when and why.<p>It looks suspicious, even if it isn&#x27;t. All those empty commits look like an intentional obfuscation of <i>something</i>, though I have no idea what.
  • abtinf1 hour ago
    Setting aside that this seems to be pure slop, what’s with all the empty commits?
  • Kaxo1 hour ago
    The seccomp-BPF rules seem almost unusably strict. What is this even designed to be used to run?
    • gwerbin1 hour ago
      It says on their Github profile that they are building some kind of nowhere detection product. Maybe in that context, a very strict syscall allowlist is useful or good?<p>&gt; It is designed for CI pipelines, CTF jail challenges, and lightweight code evaluation<p>Looking at the list, it seems pretty good for that. What does a CI runner that just needs to run GCC or whatever really need?<p>Edit: no open does seem restrictive. Not that it&#x27;s bad security (not my area of expertise), but how many useful programs use open that are just off limits here?
    • iririririr47 minutes ago
      allowing individual syscall is the sandbox standard today on BSDs and optin on linux. project have some issues but being too restrictive is not one