Comment by theamk

I'd say "discovered by a single dev" is not just mere chance, but system working as designed.

- Everyone was getting the same package, so one person could warn others

- There were well-established procedures for code updates (Andres Freund _knew_ that xz was recently updated, and could go back and forth in previous versions)

- There was access to all steps of the process - git repo with commit history, binary releases, build scripts, extensive version info

None of this is true for LLMs (and only some of this is true for curl|bash, sometimes) - it's a opaque binary service for which you have no version info, no history, and everyone gets a highly customized output. Moreover, there has been documented examples of LLM giving flawed code with security issues and (unlike debian!) everyone basically says "that person got unlucky, this won't happen to me" and keeps using the very same version.

So please don't compare traditional large open-source projects with LLMs - their risk profiles are very different, and LLM's are a way more dangerous.