Not just a problem for open source, surely? The answer is to use AI to scan contributions for suspicious patterns, no?

The xz attack required years of patient work to build Jia Tan’s credibility through hundreds of legitimate patches. These [LLM] tools can now generate those patches automatically, creating convincing contribution histories across multiple projects at once.

I don't know, but maybe the current hype could have the opposite effect: if you try to flood many projects with AI-generated patches, you'll be marked as AI-slopper and blocked from the projects, rather than become a trusted contributor? (OK, assuming a nation-state-like powerful adversary, it can probably do the real job of checking the AI output diligently in order not to be detected as AI spamming, while still getting some advantage of it, unlike those hordes of need-famous-open-source-contribution-in-my-CV who just copypaste the first nonsense which came out of AI into a PR.)

There is only one solution that stands any chance of being effective: to bolster massively the support that open source maintainers receive.

Yeah good luck with that.

They need to be properly financed so as to enable them to create broad teams with the human and technical resources to spot and fight LLM attacks of the kind that will come.

Even more luck with that. Companies (and governments) typically take much MUCH more than they give. When they give, it's only because it's in their own interests. One could argue this is in their interest, but middle and upper managers deciding these things typically are shortsighted to the point where they won't be able to understand the threat, the required investment, and the gains.

The sums required are trivial compared to the trillions of dollars of value created by open source software, selfishly used without payment by governments and companies alike.

Basically what I just said. Investments versus gains is crazy yet most companies won't be able to see this as the only thing they care about is their own bottom line.

They are also tiny compared to the losses that would be incurred by those same governments and companies around the world if such LLM attacks succeed in subverting key software elements.

Most managers won't care about this, instead hoping this will happen only after they've left with their bonusses

What’s frustrating is that this problem has been raised time and time again, and yet little has been done to address it.

This. This is exactly the result of what I'm saying

The xz Utils hack should be the digital world’s final wake-up call to tackle this core vulnerability of the open source world before it is too late.

You'd think so, yeah.

What we need is government support. We need governments to step up and give financial support to open source developers. Again, won't happen because Microsoft gives nice enough contracts to governments to focus on just that single US provider who totally won't fuck us over when the US government wants it

This is a huge reason to support open source LLM development, and training projects to specialize them to cybersecurity.

There will be an ever growing divide between those who pay for the latest automated code review services and those who don't, unless the open source side keeps up.

Honestly this might be the most important open source AI application of all, and from what I can tell it seems to be falling behind.