Not only is artificial intelligence flooding social media with garbage, but it is also apparently affecting the open source community. And just as fact-checking tools like X’s Community Notes are trying to refute the flood of false information, open source project contributors are lamenting the time spent evaluating and debunking bug reports generated by AI code generation tools.
Today, The Register reported on this concern expressed by Seth Larson in a recent blog post. Larson is a security developer at the Python Software Foundation who claims to have noticed an increase in the number of “extremely low quality, spammy, and LLM hallucinations about the security of open source projects.”
“These reports seem potentially legitimate at first glance, and therefore take time to refute,” Larson added. This could potentially be a big problem for open source projects (e.g., Python, WordPress, Android) that power much of the Internet, as they are often maintained by small groups of unpaid contributors. Legitimate bugs in ubiquitous code libraries can be dangerous because they have such a potentially wide area of influence if exploited. Larson said he only sees a relatively small number of AI-generated bug reports, but that the number is growing.
Another developer, Daniel Sternberg, accused the bug’s author of wasting his time with a report he believed was generated by AI:
You sent what appears to be an obvious AI-generated “report” claiming that there is a security issue, probably because the AI tricked you into believing it. You then waste our time by not telling us that the AI did it for you, and continue the discussion with even more nonsensical answers that appear to have also been generated by the AI.
Code generation is becoming an increasingly popular option for using large language models, although many developers are still hesitant about how useful they really are. Programs such as GitHub Copilot or ChatGPT’s own code generator can be quite effective for creating wireframe code, the basic code that starts any project. They can also be useful for finding features in a programming library that a developer may not be familiar with, allowing developers to quickly find small pieces of code they may need.
But, as with any other language model, they will hallucinate and produce incorrect code or only partial snippets. They don’t “understand” code – they’re just probabilistic machines that guess what you need based on what they’ve seen before. In order to create a complete project, developers still need to have a fundamental understanding of the programming language they are working with in order to debug problems and know what they are trying to build, how all the independent pieces of code are related to each other. This is why experts in the field say that these tools will have the greatest impact on younger developers. Simple applications that can only be created using artificial intelligence have probably already been created before.
Platforms such as HackerOne offer rewards for successful bug reports, which may encourage some people to ask ChatGPT to look for bugs in the code and then send the erroneous codes that the LLM returns.
Spam has always existed on the Internet, but thanks to artificial intelligence, it is much easier to generate. It is quite possible that we will find ourselves in a situation where we will need more technology to fight it, such as CAPTCHAs for login screens. An unfortunate situation and a big waste of time for everyone.
