IETF Logo Mail Archive

Re: AI slop "contributions" to IETF working groups

Jeffrey Walton <noloader@gmail.com> Tue, 10 February 2026 19:08 UTC

Return-Path: <noloader@gmail.com>
X-Original-To: ietf@mail2.ietf.org
Delivered-To: ietf@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id BE7C2B4E3039 for <ietf@mail2.ietf.org>; Tue, 10 Feb 2026 11:08:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yaI4_bw5nKVj for <ietf@mail2.ietf.org>; Tue, 10 Feb 2026 11:08:07 -0800 (PST)
Received: from mail-lj1-x229.google.com (mail-lj1-x229.google.com [IPv6:2a00:1450:4864:20::229]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 48FC4B4E301C for <ietf@ietf.org>; Tue, 10 Feb 2026 11:08:07 -0800 (PST)
Received: by mail-lj1-x229.google.com with SMTP id 38308e7fff4ca-382fd45a1feso1930321fa.0 for <ietf@ietf.org>; Tue, 10 Feb 2026 11:08:07 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1770750484; cv=none; d=google.com; s=arc-20240605; b=MInrsMSBkWx2oUqAs2WcNevOiEsBaSk6qHwQ7jgGjzDc8FwXfjAXo4UsGJs+NdJpHy F18sSiERkq56nSmC8orEZCxc0SArp9ko4Ared/5pVr5fCAl2+sHVVFMtMXlDPihTtITb qhTkcClQ1Fbp5mu0oSInahdHVDMzgklOTQyzfWguP8psooHoUYR38gWYNqWG9caB8MUr YhCK1N7dhSgIa2GSsWI/+RsV/2862bIv6Sgt/s5Rf5jW4hQKVZSTs3DRgkd7rMFQYhvD BX1XKSbJUGXF8KifsIhRJ61XZdf7akcDXyAevt0khvcgJ48NDL76qvvq4ht2yoVSBlAG zIgg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:reply-to:in-reply-to:references :mime-version:dkim-signature; bh=tHTg9Uoe37xCpPf5JL4DXTF9oUnKSWVo/hFkLsYrsfk=; fh=pmyBeU0bjxtV3otRIM0wYGicomEjHaLflXXiUGySpPg=; b=REYVdzI0F0waVuyMnNFVCBE0mmjwdWn3tDdsaXNpI7i3SVS7EF/XQxEK+17fHPZomQ 0/UgJnY3eauW4HY3jd0+tnoGUpTsg76RWft2PzGYKKnjlqMR+K9FA86Gz4IHYbYNpp/t qz9A4uwHqCR9euwniAKVM5FyKBFqug6UBCOoEQIrB/Hd646F1Wwx+SLt6xS822Oe0BoZ 9nBFwut2nE0HGUJhTEJz5ivvI27yPr0IAG/N1mrOZI45w8Vs3CWbtFKaq3jNDJ3jTu00 X9jte21hNruxl/wHajBjR79YQBoa5hvGWDh788hHqw2DV2jEXmoxu4VcDl9EKP3oWG+b DRSA==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1770750484; x=1771355284; darn=ietf.org; h=cc:to:subject:message-id:date:from:reply-to:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=tHTg9Uoe37xCpPf5JL4DXTF9oUnKSWVo/hFkLsYrsfk=; b=YsQf+8RVJif+cfLq4bhyrh19egtockwNUsQKY61QzXbRRl2OZ4kC07ZX6LL0h2VlkP Hiua9oSgxBCPZ7W6Ix+nkEnSx6p/oZWprq26Qrjg+CUXQkRrpjIr7s9qQ5UD/UYaCGVK 82u5e/uPmBjawLFG6TWSQsI/e8uybZUgEOqfr2S4eenMQpPngnNH3O6jxWl68MFFRcIS OWYfUu4rjogsA6xqHqPRwCNVjtQjeQrvNVMkcDIe73krQ4SMdF1voq/r2labz8Ez7uuT di0/MC9e0yiTLmIyLdpzU5ba2ePTOM/qyIo0bHKcLrIZD8OK25C1IIwhmVV2cyYfoKRn zH4g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770750484; x=1771355284; h=cc:to:subject:message-id:date:from:reply-to:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=tHTg9Uoe37xCpPf5JL4DXTF9oUnKSWVo/hFkLsYrsfk=; b=O2ecqOhHKBRg7z0YlAOdN2WDd02wUs5plBqhN63BHOGlVKCWc5KZMECFTh3AryrEsF qmQl+3Fi7OSaoYVXao1n6h+MOjtFP1QT7rrguvXzkogWJM7OoNKN3tDtjgmnP4IJx4jM pu6JiaDMUqjeo+yJsjxyMfQreVhOazo8qA2adNHR0zXrV4LKF6Ec53lW81RpLpH3lVNS 69HhtcLiLGEJ/k910gsafWHbqS58NvvnU3Yxj3rbHFPYZ/FCnxfT1YqD5BhthLunaUlp z4MSovEv2NI5zOR5vfpWVLSr4zDg7FU5zHTd/HNNEiXjtWGmLc3SHN3SpI1v4sBJBtyV iDjQ==
X-Gm-Message-State: AOJu0Yz9MjUv4Ip5LaqDlGnGFSPuiCbrrU7U7m04tKHhPmnxBlGUDI2l g6Cn4yr6H7LBfeclQYlNTSk6vRzLmNQ6HS+qc7XAqoG7K1ld5MBotQE6OWYBJd1ebGmwThEnTYZ 3s5QAp021mKt0bTStR/+4bTCtwqvpwVw/bt06
X-Gm-Gg: AZuq6aKK4+ArW9OAj5IXvDFTiUvSUmg7FzZJXVOEwvCgvDZjRm9gHKeBctJFuA0b0iz gVAKCE2scd0xWz44dQWgnXqQiiN5c/g7Z1obq8KPtpHvmWASO60O9RWkC1RngSS60HhN2er9Urf P7mxt108YV6BMMdr2n1hCgW5BwEvcz0jkwNnvoBubLB8oNEUngP2jhQ9YYciOzYaMrp5+5lMlmU F+o7+43Dn+V29WRZLodIWJapCB1JtPDNehM60UElMo0TO+/5uXtUa23xh/zjdCN4doRnkrpNrcz Rjdmh/MwRuM7JY704e+3DQkgZUQSOf7tpuWWlAnd0iUhqfoFkxxjFz0+F6hUkeNk6iQ=
X-Received: by 2002:a05:651c:220a:b0:383:5ba4:fac9 with SMTP id 38308e7fff4ca-386ee62a169mr12675591fa.15.1770750483918; Tue, 10 Feb 2026 11:08:03 -0800 (PST)
MIME-Version: 1.0
References: <7b702e8f-d2be-5b08-e262-33fbed538f98@foobar.org> <460BCE12-4C45-45D0-94C8-83B8E2D45049@gmail.com> <922b6d08-1cb5-4791-974f-ff17850de25f@gmail.com> <5DCE2993-39C8-4FAC-AD91-7B8E504E996C@gmail.com> <20260208015537.8D945F5944ED@ary.qy> <cd492277-0bca-4219-a3ad-eb75ccd2ebe7@gmail.com> <m27bsk6d9c.fsf@ja.int.chopps.org> <d5bccc8e-f013-c3e5-09cc-30913983b2f0@foobar.org> <b94b3e13-ebc9-4fb1-932f-89b05c2ce3ec@joelhalpern.com> <28670ac9-159c-4830-afe7-c5df4ce354da@htt-consult.com> <CAMm+LwiDfNb1j3khkWCik8ZTziyzOFFyqEZqbVX_F9DStwx9yQ@mail.gmail.com>
In-Reply-To: <CAMm+LwiDfNb1j3khkWCik8ZTziyzOFFyqEZqbVX_F9DStwx9yQ@mail.gmail.com>
From: Jeffrey Walton <noloader@gmail.com>
Date: Tue, 10 Feb 2026 14:07:26 -0500
X-Gm-Features: AZwV_Qjn59SOUZLwlrfoBHVTkwfB8kwD6cCuOrl5eaZJdd1mNdWBziwAWL_w3Bs
Message-ID: <CAH8yC8knKz5a=i90tJ69ghoiQ_CaeT0CYkTtB-LSTsUSC9tsEw@mail.gmail.com>
Subject: Re: AI slop "contributions" to IETF working groups
To: ietf@ietf.org
Content-Type: multipart/alternative; boundary="000000000000947411064a7cf9db"
Message-ID-Hash: MSPBKQKKXDFKMN47XCW7F4CYH74KTGQJ
X-Message-ID-Hash: MSPBKQKKXDFKMN47XCW7F4CYH74KTGQJ
X-MailFrom: noloader@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-ietf.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Robert Moskowitz <rgm-ietf=40htt-consult.com@dmarc.ietf.org>, Phillip Hallam-Baker <phill@hallambaker.com>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Reply-To: noloader@gmail.com
List-Id: "IETF-Discussion. This is the most general IETF mailing list, intended for discussion of technical, procedural, operational, and other topics for which no dedicated mailing lists exist." <ietf.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/lXLRbQNUztt6EfTZHj0HMM2SF3M>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Owner: <mailto:ietf-owner@ietf.org>
List-Post: <mailto:ietf@ietf.org>
List-Subscribe: <mailto:ietf-join@ietf.org>
List-Unsubscribe: <mailto:ietf-leave@ietf.org>

On Tue, Feb 10, 2026 at 1:36 PM Phillip Hallam-Baker <phill@hallambaker.com>
wrote:

> How is using an AI different from using fuzzing though?
>
> One of the most effective hacking tools is to simply spam the inputs with
> garbage and see what happens. So it isn't exactly surprising that when
> people write code in unsafe languages without null pointer and array bounds
> checking, they can discover low hanging fruit vulnerabilities faster than
> others.
>
> What such testing doesn't show is that the code is secure because AI
> generated tests aren't exhaustive. Just as 'write slop, check it by
> fuzzing' isn't a valid method for producing secure code, neither is 'check
> with AI'.
>

A dangerous (?) trend I am seeing at $dayjob... We perform static scans on
an app's code base, and dynamic scans on a running application in a test
environment.  A tool produces a finding that triggers a code review.  The
dev team will often say the finding is a false positive because "<favorite
AI tool> says it is Ok."

I like to remind the dev teams that Edsger Dijkstra's observation still
holds.  AI tools can be used to confirm the presence of a bug, not the
absence of them.

I feel AI tools would be much more useful during development if they
produced boatloads of negative test cases that attempted to break the
application.  Since AI is supposed to be smart, it should be easy for it to
create the boundary test cases that developers often miss.

Which brings up another interesting question: should AI be allowed to write
the code and the test cases?  Would that violate separation of duties?

Jeff

v2.43.4 | Report a Bug | By Email | System Status