Comment by itake
12 hours ago
ideally, the software produced should include the latest security patches.
If the model prefers a version of Ruby or node with an RCE, I guess you can burn tokens to teach the model how to avoid the introducing the vulnerability into your code?
That feels quite tedious and token inefficient..
I'm sorry, but.. are you being serious?
Yes. Yes. The only way one can write secure software is by always using the latest SOTA model. Anything else is inefficient and vulnerable.
I hate this platform
https://news.ycombinator.com/item?id=46809708
Maybe you missed this article, but vercel found it quite annoying to teach AI about the latest updates in the React Framework.
I think you’re confusing my point. I’m not saying that only SOTA models can write secure software, I’m saying that the models produced today will write software that’s considered insecure by 2034 standards, thus you would require to burn more tokens in AGENTS.md or burn more of your time to hand write code.
For example, you’re more than welcome to run Windows ME if it does everything you need it to, but that doesn’t mean Windows ME is a secure environment.
Another solution might also be to stop reinventing the wheel every few years. New languages aren't producing better software. But people keep churning new languages out, and they become popular because humans have emotional attachment to inanimate things. If humans weren't so emotionally involved with the code, AI could happily produce C/C++ software indefinitely. (And if we could kick our dependence on the fucking browser for an application platform, we wouldn't need the horror that is the JavaScript ecosystem)