On 23. 5. 26 10:48, Daniel Sahlberg wrote:
Den lör 23 maj 2026 kl 10:34 skrev Branko Čibej <[email protected]>:
On 23. 5. 26 10:04, orbisai0security (via GitHub) wrote:
orbisai0security commented on PR #36:
URL:https://github.com/apache/subversion/pull/36#issuecomment-4524721722
Thanks, both points make sense.
I agree the patch should be split. The `assert` → explicit exception changes are independent from the file-mode change, and I’m happy to keep those as a separate cleanup if you think they’re worth committing.
On the file-permission hardening: fair point about `~/.subversion/auth` already being created as `0700` by `ensure_authdirs()`. Given that, I agree this should not be presented as a security bug in the normal/default threat model. At most, creating the temp file as `0600` would be defence-in-depth for unusual/manual configurations where the directory permissions have been loosened, but that does not seem like something Subversion needs to treat as a vulnerability.
I’ll rework this accordingly: separate the `assert` → `raise` cleanup from the file-mode change, and I’m fine dropping the file-mode part if maintainers don’t think it is useful. Is that okay?
Such a serious conversation with an AI agent that, having
**completely** missed the point the first time – that it did not
in fact find a vulnerability – now simulates nodding wisely and
agreeing to redo the patch. Even though what remains of it is
reduced to using exceptions instead of asserts, which hardly makes
any semantic difference.
Blech. Tell me again how this helps, when two people had to spend
time reviewing and pointing out beginners' mistakes?
Do you have a suggestion how we should handle this? My very first
point in the discussion on dev@apr was to call out orbisai0security
for submitting AI slop but that won't stop them coming. I believe the
ongoing discussion within the Airflow project of AI agent to help
handling issue/pr triage is very interesting (the discussion is ASF
member only at the moment but the proposition is open within one of
the Airflow related GitHub repos:
https://github.com/apache/airflow-steward/blob/main/MISSION.md). But
until we have that...
I wish I did. What really bugs me about this is that the pull requests
don't seem to be intended to improve the code as much as generate more
training data for more slop. Any human who steps in with comments is, in
a way, doing unpaid consulting work.
Oh, by the way, we require Python 3.6 to run tools and tests. The
usedforsecurity keyword was introduced in 3.9.
I think I handled that in r1934529.
Yes, you did. 👍 That was a barb for the "author" of the patch.
-- Brane
