Kai Krakow <[email protected]> writes: > Am Di., 10. März 2026 um 16:55 Uhr schrieb Michał Górny <[email protected]>: > [...] > > But realistically, there isn't a chance for Gentoo to avoid every > possible AI or LLM assisted contribution to Gentoo through packages or > direct contributions.
Right (see below too), but I think the best we could do here is allow some users to go an extra step and avoid such packages, though I think it's less pressing than having some way of marking chardet etc as tainted and not something we should depend on >= tainted versions for. > [...] > > Without having looked at the links, I think that's the point of "it > probably can't be avoided", and we have to find a proper way to deal > with it. I think human quality control is one way to do it. Of course, > Gentoo cannot take the burden of doing that as you outline below. > Yes, I think this category where we can't identify specific patterns of bugs being introduced has few options for us to act on, except perhaps some (perhaps additional) taint mark that would be reserved for users but not used by default. (i.e. beyond whatever some default would be for the chardet, autobahn case, which I consider more severe.) > >> The key problem is, how do we decide whether to package something or >> not? We definitely don't have the capability of inspecting whatever >> crap upstream may be committing. Of course, that was always a risk, but >> with LLMs around, things are just crazy. And we definitely can't stick >> with old versions forever. > > We can't, and we shouldn't. I think we could start with creating some > quality gates for packages: Do they work with AI? How do they work > with AI? What is their policy on AI usage? Maybe that's also something > which could be flagged inside ebuilds so people can decide "what > amount of AI impact" they want to accept. We could also add > alternative suggestions to such packages which can be used as > replacements. But that will certainly explode dependency resolution or > create completely unmaintable dependency trees. In the worst case, the > package simply has to go away, maybe move to a different ebuild tree, > something like GURU but for packages involving AI patterns in a yet to > be defined way? The purpose of the discussion is to figure out what to do with packages that fail such quality gates, though, and by what mechanism to do that. > > But I also think that Gentoo's future is not denying that AI exists or > refusing AI involvement. It will become a tool that cannot be avoided, > and we have to deal with it in a reasonable way. AI/LLM is still an > early tool that humans have to learn to use correctly. Currently the > situation is: It's not used correctly. Yes, I tend to agree. But what do we do when it's not being used correctly? How do we respond? How do we decide what the line is? And how do we communicate this to users (possibly allowing them some choice in the matter) and other developers? > [...] sam
signature.asc
Description: PGP signature
