“Patching ~All Security-Relevant Open-Source Software?” by niplav

Summary: Patching all exploits in open-source software that forms the backbone of the internet would be hard on maintainers, less effective than thought, and expensive (Fermi estimate included, 5%/50%/95% cost ~$31 mio./~$1.9 bio./~$168 bio.). It's unclear who'll be willing to pay that. Preventative measures discussed for averting an AI takeover attempt include hardenening the software infrastructure of the world against attacks. The plan is to use lab-internal (specialized?) software engineering AI systems to submit patches to fix all findable security vulnerabilities in open-source software (think a vastly expanded and automated version of Project Zero, and likely to partner with companies developing internet-critical software (in the likes of Cisco & Huawei). I think that that plan is net-positive. I also think that it has some pretty glaring open problems (in ascending order of exigency): (1) Maintainer overload and response times, (2) hybrid hardware/software vulnerabilities, and (3) cost as [...] ---Outline:(01:16) Maintainer Overload(01:49) Hybrid and Hardware Vulnerabilities(02:59) Who Pays?The original text contained 1 image which was described by AI. --- First published: February 25th, 2025 Source: https://forum.effectivealtruism.org/posts/sh4zDoyQiwnAGCRd6/patching-all-security-relevant-open-source-software --- Narrated by TYPE III AUDIO. ---Images from the article:Apple Podcasts and Spotify do not show images in the episode description. Try Pocket Casts, or another podcast app.