Source URL: https://simonwillison.net/2025/Oct/2/curl/
Source: Simon Willison’s Weblog
Title: Daniel Stenberg’s note on AI assisted curl bug reports
Feedly Summary: Daniel Stenberg’s note on AI assisted curl bug reports
Curl maintainer Daniel Stenberg on Mastodon:
Joshua Rogers sent us a massive list of potential issues in #curl that he found using his set of AI assisted tools. Code analyzer style nits all over. Mostly smaller bugs, but still bugs and there could be one or two actual security flaws in there. Actually truly awesome findings.
I have already landed 22(!) bugfixes thanks to this, and I have over twice that amount of issues left to go through. Wade through perhaps.
Credited “Reported in Joshua’s sarif data" if you want to look for yourself
I searched for is:pr sarif is:closed in the curl GitHub repository and found 55 completed PRs so far.
This is especially notable because Daniel has been outspoken about the deluge of junk AI-assisted reports on "security issues" that curl has received in the past. In May this year, concerning HackerOne:
We now ban every reporter INSTANTLY who submits reports we deem AI slop. A threshold has been reached. We are effectively being DDoSed. If we could, we would charge them for this waste of our time.
He also wrote about this in January 2024, where he included this note:
I do however suspect that if you just add an ever so tiny (intelligent) human check to the mix, the use and outcome of any such tools will become so much better. I suspect that will be true for a long time into the future as well.
This is yet another illustration of how much more interesting these tools are when experienced professionals use them to augment their existing skills.
Via Hacker News
Tags: curl, security, ai, generative-ai, llms, daniel-stenberg, ai-assisted-programming, ai-ethics
AI Summary and Description: Yes
Summary: The text discusses Daniel Stenberg’s acknowledgment of AI-assisted bug reports submitted to the Curl project, highlighting both the potential benefits and challenges associated with the integration of AI tools in the software development process. It emphasizes the importance of human oversight to enhance the effectiveness of AI-generated outputs.
Detailed Description: The note from Daniel Stenberg reveals significant insights into the intersection of AI technology and software security, particularly in the context of bug tracking and reporting in the Curl project. Here are the key points:
– **AI Tools for Bug Reporting**: Joshua Rogers utilized AI-assisted tools to identify potential issues within the Curl codebase, resulting in a substantial list of findings, including minor bugs and potential security vulnerabilities.
– **Impact on Development**: Stenberg has already implemented 22 bug fixes based on these findings and recognizes that many more issues are pending, underscoring the productivity boosts afforded by AI-assisted programming.
– **Previous Challenges**: Stenberg shares past frustrations regarding the influx of low-quality AI-generated security reports that have overwhelmed their reporting mechanism. In response, he notes a policy to ban reporters who submit what they consider to be “AI slop.”
– **Importance of Human Oversight**: Stenberg advocates for the addition of human checks to the AI-assisted process, which he believes can significantly improve the quality of the outputs and mitigate the challenges previously faced.
– **Broader Implications for Security**: This case study exemplifies the potential benefits of generative AI in software security and development while also pointing to the need for careful handling and human intervention—a sentiment that would resonate with security and compliance professionals.
This scenario underscores the evolving nature of software security practices as they increasingly integrate AI technologies, alongside the need for governance and effective oversight to ensure quality and reliability in security-related outputs.