Comment by amiga386
2 years ago
Fundamentally:
1. the packages being worked on by Debian et al have a huge pile of infrastructure so that their development happens collaboratively and in the open, with many eyes watching
2. everyone gets the same packages
3. they have their own security teams to _ensure_ everyone is getting the same packages, i.e. that their download servers and checksums haven't been compromised
4. the project has been been working since 1993 to ensure their update system, and the system delivered by those updates, works as expected. If it doesn't, there are IRC channels, mailing lists, bug trackers and a pile of humans to discuss issues with, and if they agree it's a bug, they can fix it for everyone
It's not to say it's impossible to sneak an attack past a project dedicated to stopping such attacks, but it's so much more work compared to attacking someone who executes whatever a remote endpoint tells them
There have been many documented cases of supply chain attacks of various degrees of sophistication. Some of them successful, some of them almost successful. May I remind you of the recent xz vulnerability was discovered by a single dev by mere chance.
As an end user it is nearly impossible to guard against such an attack.
It can be problematic to run something like `curl foo.com | bash` without inspection of the script first. But even here it makes a difference if you are curling from a project like brew.sh that delivers such script from a TLS protected endpoint or some random script you find somewhere in a gist.
Same goes for output from an LLM. You can simply investigate the generated command before executing it. Another strategy might be to only generate the parameters and just pass those to the ffmpeg executable.
> Same goes for output from an LLM
This is the crux of our disagreement. It does not go the same. You have no idea what the LLM is going to write, neither does the LLM, nor the people who created the LLM.
At no point did the people who created the LLM actually think about your use-case, nor did the LLM, and there is no promise of anything you ask getting a correct, or even consistent answer. The creators don't know how the answers got there, and can't easily fix them if they're wrong. You'd be a fool to trust it for anything other than dog and pony shows.
> This is the crux of our disagreement.
No it's not.
There is an observable and testable probability that an LLMs output is correct or false. There is an observable and testable probability that code created by humans is erroneous.
There is a third category where human code is malicious. You will need to guard against all three cases. Guarding against a possibly faulty LLM output that is passed to ffmpeg is significantly easier to realise through defensive prompting and simple sanitization techniques, than to protect against a malicious state actor that is capable of crafting sophisticated supply chain attacks that took years to develop and roll out (again see the xz backdoor).
The idea that you can blindly trust an open source project just because "their development happens collaboratively and in the open" is naive. Some open source projects people are building their whole infrastructure on are maintained by a single developer in their spare time. The attack surface is huge and has been exploited time and time again. Just because a project like Debian has signed packages and a security team doesn't guarantee that the underlying code doesn't have some malicious backdoor or some grave bug that creates a big attack surface.
1 reply →
I'd say "discovered by a single dev" is not just mere chance, but system working as designed.
- Everyone was getting the same package, so one person could warn others
- There were well-established procedures for code updates (Andres Freund _knew_ that xz was recently updated, and could go back and forth in previous versions)
- There was access to all steps of the process - git repo with commit history, binary releases, build scripts, extensive version info
None of this is true for LLMs (and only some of this is true for curl|bash, sometimes) - it's a opaque binary service for which you have no version info, no history, and everyone gets a highly customized output. Moreover, there has been documented examples of LLM giving flawed code with security issues and (unlike debian!) everyone basically says "that person got unlucky, this won't happen to me" and keeps using the very same version.
So please don't compare traditional large open-source projects with LLMs - their risk profiles are very different, and LLM's are a way more dangerous.