this post was submitted on 28 Mar 2024
404 points (97.2% liked)

Technology

59197 readers
2706 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 130 points 7 months ago (3 children)

*bad Devs

Always look on the official repository. Not just to see if it exists, but also to make sure it isn't a fake/malicious one

[–] [email protected] 94 points 7 months ago* (last edited 7 months ago) (1 children)

*bad Devs

Or devs who don't give a shit. Most places have a lot of people who don't give a shit because the company does not give a shit about them either.

[–] [email protected] 40 points 7 months ago (2 children)

What's the diff between a bad dev and a dev that doesn't care? Either way, whether ist lack of skill or care, a bad dev is a bad dev at the end of the day.

[–] [email protected] 29 points 7 months ago (2 children)

I can be good at a trade, but if I'm working for a shit company with shit pay and shit treatment, they're not going to get my best work.

You get out what you put in, that's something employers don't realise.

[–] [email protected] 7 points 7 months ago* (last edited 7 months ago)

Nah they realize but all the laws are set to fuck us over not them. They just don’t care.

load more comments (1 replies)
[–] [email protected] 17 points 7 months ago (5 children)

The difference is whether the fault for the leak of your personal data rests with the worker who was incompetent, or the employer who didn't pay for proper secure software.

[–] [email protected] 4 points 7 months ago (1 children)

I say fault lies not with only one, but both.

[–] [email protected] 8 points 7 months ago

Depends on the case TBH. If devs barely have time and are constantly crunching due to mismanagement, or are extremely disengaged due to mismanagement, I wouldn't fault them.

Usually it's the lacking processes, though. There are ways to make sure this doesn't happen, and it doesn't depend on the individual, but always the organization.

load more comments (4 replies)
[–] [email protected] 26 points 7 months ago (7 children)

You'd be surprised how well someone who wants to can camouflage their package to look legit.

[–] [email protected] 7 points 7 months ago (1 children)

True. You can't always be 100% sure. But a quick check for download counts/version count can help. And while searching for it in the repo, you can see other similarly named packages and prevent getting hit by a typo squatter.

Despite, it's not just for security. What if the package you're installing has a big banner in the readme that says "Deprecated and full of security issues"? It's not a bad package per say, but still something you need to know

load more comments (6 replies)
[–] [email protected] 17 points 7 months ago

The official repositories often have no useful oversight either. At least once a year, you'll hear about a malicious package in npm or PyPI getting widespread enough to cause real havoc. Typosquatting runs rampant, and formerly reputable packages end up in the hands of scammers when their original devs try to find someone to hand them over to.

[–] [email protected] 51 points 7 months ago (4 children)

Can we fucking stop anthropomorphising software?

[–] [email protected] 76 points 7 months ago (41 children)

"Hallucinate" is the standard term used to explain the GenAI models coming up with untrue statements

[–] [email protected] 24 points 7 months ago* (last edited 7 months ago) (3 children)

in terms of communication utility, it's also a very accurate term.

when WE hallucinate, it's because our internal predictive models are flying off the rails filling in the blanks based on assumptions rather than referencing concrete sensory information and generating results that conflict with reality.

when AIs hallucinate, it's due to its predictive model generating results that do not align with reality because it instead flew off the rails presuming what was calculated to be likely to exist rather than referencing positively certain information.

it's the same song, but played on a different instrument.

[–] [email protected] 5 points 7 months ago (3 children)

when WE hallucinate, it's because our internal predictive models are flying off the rails filling in the blanks based on assumptions rather than referencing concrete sensory information and generating results that conflict with reality.

Is it really? You make it sound like this is a proven fact.

[–] [email protected] 4 points 7 months ago* (last edited 7 months ago) (4 children)

Is it really? You make it sound like this is a proven fact.

I believe that's where the scientific community is moving towards, based on watching this Kyle Hill video.

load more comments (4 replies)
load more comments (2 replies)
load more comments (2 replies)
load more comments (40 replies)
[–] [email protected] 12 points 7 months ago

No?

An anthropomorphic model of the software, wherein you can articulate things like "the software is making up packages", or "the software mistakenly thinks these packages ought to exist", is the right level of abstraction for usefully reasoning about software like this. Using that model, you can make predictions about what will happen when you run the software, and you can take actions that will lead to the outcomes you want occurring more often when you run the software.

If you try to explain what is going on without these concepts, you're left saying something like "the wrong token is being sampled because the probability of the right one is too low because of several thousand neural network weights being slightly off of where they would have to be to make the right one come out consistently". Which is true, but not useful.

The anthropomorphic approach suggests stuff like "yell at the software in all caps to only use python packages that really exist", and that sort of approach has been found to be effective in practice.

load more comments (2 replies)
[–] [email protected] 39 points 7 months ago (9 children)

I just want an LLM with a reasonable context window so we can actually write real working packages with it.

The demos look great, but it’s always just around 100 lines of code, which is beginner level. The only use case right now is fake packages.

[–] [email protected] 12 points 7 months ago* (last edited 7 months ago) (1 children)

Just use the AI Horde. iirc our standard is like 4K context and some people host up to 8K. Here's a frontend

load more comments (1 replies)
[–] [email protected] 3 points 7 months ago (1 children)
[–] [email protected] 5 points 7 months ago (2 children)

those are tokens not lines of code....

[–] [email protected] 6 points 7 months ago

??? The top lvl commenter wants an LLM with big context window and the other commenter responded with an LLM which has 200k token context window which is waaaaaay more than "100 lines of code".

load more comments (1 replies)
load more comments (7 replies)
[–] [email protected] 26 points 7 months ago (2 children)

One of the first things I noticed when I asked ChatGPT to write some terraform for me a year ago was that it uses modules that don't exist.

[–] [email protected] 11 points 7 months ago (2 children)

The same goes for Ruby. It just totally made up language features and gems that seemed to actually be from Python.

[–] [email protected] 6 points 7 months ago (3 children)

Not that it's a programming language, but it also makes up rules for 5e D&D if you ask to play a game.

load more comments (3 replies)
[–] [email protected] 3 points 7 months ago

It seems to shortcut implementations that require more than one block, and mimicks parameters from other functions.

[–] [email protected] 6 points 7 months ago

I have this problem with ChatGPT and Powershell. It keeps referencing functions that do not exist inside of modules and when I'm like "that function doesn't exist" its like "try reinstalling the module" and then I do and the function still isn't there so I ask it for maybe another way to do it, and it just goes back to the first suggestion and it goes around in circles. ChatGPT works great sometimes, but honestly I still have more success with stack overflow

[–] [email protected] 8 points 7 months ago (1 children)

This is the best summary I could come up with:


In-depth Several big businesses have published source code that incorporates a software package previously hallucinated by generative AI.

Not only that but someone, having spotted this reoccurring hallucination, had turned that made-up dependency into a real one, which was subsequently downloaded and installed thousands of times by developers as a result of the AI's bad advice, we've learned.

He created huggingface-cli in December after seeing it repeatedly hallucinated by generative AI; by February this year, Alibaba was referring to it in GraphTranslator's README instructions rather than the real Hugging Face CLI tool.

Last year, through security firm Vulcan Cyber, Lanyado published research detailing how one might pose a coding question to an AI model like ChatGPT and receive an answer that recommends the use of a software library, package, or framework that doesn't exist.

The willingness of AI models to confidently cite non-existent court cases is now well known and has caused no small amount of embarrassment among attorneys unaware of this tendency.

As Lanyado noted previously, a miscreant might use an AI-invented name for a malicious package uploaded to some repository in the hope others might download the malware.


The original article contains 1,143 words, the summary contains 190 words. Saved 83%. I'm a bot and I'm open source!

load more comments (1 replies)
[–] [email protected] 8 points 7 months ago

Yeah, had that on my very first attempt at using it.

It used a component that didn't exist. I called it out and it went "you are correct, that was removed in . Try this instead." and created an entirely new set of bogus components and functions. This cycle continued until I gave up. It knows what code looks like, and what the excuses look like and that's about it. There's zero understanding.

It's probably great if you're doing some common homework (Javascript Fibonacci sequence or something) or menial task, but for anything that might reach the edges of its "knowledge", it has no idea where those edges may lie so just bullshits.

[–] [email protected] 5 points 7 months ago

From the article...

hallucinated software packages – package names invented by generative AI models, presumably during project development

load more comments
view more: next ›