TechLich

They don't need to have one.

You can report it here: https://cveform.mitre.org/

Use the CNA-LR since I don't think they have a CNA.

You were probably trying to do the right thing disclosing, just know that there is a better process for it (even if you think the devs are asshats, it's good to do it like that for the community who aren't).

Even if it only affects admins, that includes admins of forks etc.

I'm sure there's probably more vulnerabilities to find.

This, assumes the vendor acts in good faith

Responsible disclosure does not assume the vendor acts in good faith. Usually the disclosure period is around 90 days before the vulnerability is released, fixed or not (although this is negotiable with a good faith vendor).

Forks etc. could have been informed privately first too if possible.

amateurs now have access to tools they should not, and WILL forgo proper standardized communication channels to disclose issues

This is not a good argument. Undisclosed zero days in the wild have always been part of the threat model. Amateurs with LLMs or not, a large percentage of vulnerabilities are not disclosed responsibly and are only fixed after damage has been done. Putting people and their personal information at risk because you want to make a point about the dangers of zero days (which everyone is already aware of) is woefully unethical.

Not everyone is privileged enough to afford security courses, and standardized education.

That doesn't mean we should abandon these things. The vendor can report the CVE too. Or anyone else with an interest in it. It doesn't have to be the untrained amateur grey hat asking Claude for vulns. A malicious threat actor exploiting a system doesn't report it either. The community benefits from skilled people handling things properly. Pretending that it doesn't because most people don't have those skills is silly.

Public disclosure is good, but responsible disclosure usually involves informing the dev first, giving them a period of time to push out a patch and then publicly disclosing for the community to learn from.

If writing a lot of bash scripts, I really recommend shellcheck. It's a linter for bash that gives a lot of good advice and points out common issues/inefficiencies and errors. There's plugins for most editors or you can just run it in a terminal. I also like that it has good documentation that tells you why something might be wrong or inadvisable.

https://github.com/koalaman/shellcheck

Yeah. Wikipedia calls it "link aggregation" and the standard is IEEE 802.1AX which also calls it that and the protocol LACP. I think the real reason for so many names is that the standard wasn't developed until later so everyone built their own competing incompatible implementations with different names and it was a mess for years.

Linux implemented it with the Linux bonding driver and switch manufactures made up their own proprietary extensions for it but the standard didn't become a thing until like 2000. Seems like "teaming" is one of the most popular names for it.

Why does this have so many names?

Some stuff calls it bonded, sometimes it's teamed, sometimes LAGed or aggregated or bundled or link channelled or ethertrunked or smartgrouped or Multi-link trunked etc. etc.

I want to know what the 3 minutes of mind blowing entertainment on Mel Croucher's Computer Fun Line was.

Also "Thou mayest blame" and "Canst thou say"

Hurts my brain a little.

You could do this with logprobs. The language model itself has basically no real insight into its confidence but there's more that you can get out of the model besides just the text.

The problem is that those probabilities are really "how confident are you that this text should come next in this conversation" not "how confident are you that this text is true/accurate." It's a fundamental limitation at the moment I think.

I feel like this isn't quite true and is something I hear a lot of people say about ai. That it's good at following requirements and confirming and being a mechanical and logical robot because that's what computers are like and that's how it is in sci fi.

In reality, it seems like that's what they're worst at. They're great at seeing patterns and creating ideas but terrible at following instructions or staying on task. As soon as something is a bit bigger than they can track context for, they'll get "creative" and if they see a pattern that they can complete, they will, even if it's not correct. I've had copilot start writing poetry in my code because there was a string it could complete.

Get it to make a pretty looking static web page with fancy css where it gets to make all the decisions? It does it fast.

Give it an actual, specific programming task in a full sized application with multiple interconnected pieces and strict requirements? It confidently breaks most of the requirements, and spits out garbage. If it can't hold the entire thing in its context, or if there's a lot of strict rules to follow, it'll struggle and forget what it's doing or why. Like a particularly bad human programmer would.

This is why AI is automating art and music and writing and not more mundane/logical/engineering tasks. Great at being creative and balls at following instructions for more than a few steps.

Yeah, I think quite a lot of people on Lemmy have similar social media habits (or lack of) to some degree. We also tend to associate with other people like us. Especially people in tech tend to talk to other tech people, or friends and family of tech people which is a limited demographic.

It's a very different perspective to most people. The average person on the train has vastly different media consumption and likely very different opinions.

There are a lot of people who consult LLMs in most aspects of their lives.

Yeah, it's a shame because some of those OSM-based ones are really close to being perfect. It just seems like it's really difficult for the open source devs to reconcile OSM data with GTFS and timetables for some reason.

Often the "local app" is basically a proprietary wrapper around Google maps.