Comment by blurbleblurble

1 day ago

Maybe he got notified from the mythos team of a bunch of vulnerabilities and then followed up using claude. Doesn't seem that unlikely.

What would you do if suddenly there were a dozen exploitable CVEs in your highly used open source project staring you down? Maybe you'd use the tool that found them to patch them as quickly as possible.

3 comments

blurbleblurble

threecheese 17 hours ago

Looks like at least one of these issues was from a CVE [0], they don’t call out Mythos specifically though (“security researchers”). Many teams are sprinting on security issues atm (including mine, who put all product priorities aside two sprints ago), it must suck to be responsible for high-visibility/high-risk projects like rsync right now.

0: https://github.com/advisories/GHSA-pfv9-gp3h-73xv

kelnos 1 day ago

I am absolutely willing to give tridge the benefit of the doubt here, but a note on what you said: I don't think you should ever patch a CVE "as quickly as possible". You should do it slowly, be very sure of the change, and test the hell out of it. You can easily introduce a new security vulnerability by rushing something like that.

blurbleblurble 1 day ago

Good point. I just can't imagine the urgency and pressure I'd feel.