The following article describes a security expert's effort to
determine whether Anthropic's claim of "thousands of severe
vvlnerabilies" is true.  He examined the CVE registry.

Researchers Are Trying to Determine How Many Vulnerabilities Claude
Mythos Has Discovered
https://hackmag.com/news/mythos-cves

 VulnCheck specialist Patrick Garrity tried to determine how many
 vulnerabilities Anthropic's new AI model Claude Mythos actually
 discovered as part of the Project Glasswing initiative. Recall that
 the developers had claimed it found thousands of 0-days.

 ...

 Gerrity decided to put Anthropic's bold claims to the test and
 examined the CVE registry, which contains more than 327,000
 entries. He searched for all records containing the word "Anthropic"
 starting from February 2026 and manually analyzed the results.

---

On April 7th Jim Zemlin of the Linux Foundation made a statement
on Project Glasswing.

https://www.linuxfoundation.org/blog/project-glasswing-gives-maintainers-advanced-ai-to-secure-open-source

The message is addressed primarily to "open source" developers.
Zemlin understands that they suffer from limited resources and says
that Project Glasswing would be a blessing because "AI" would assist
arduous security-related work.  He speaks of providing Claude
access to "open source" developers, even going on to suggest that
such access would entice people to accept maintainer roles.

There are several problems.  The above was posted on April 7th.
A month has passed but maintainers are generally unaware of this
proclamation.  The Linux Foundation has not issued any further
statements, indicating an absence of notable progress.

There are many free software projects that maintain critical system
components.  Compiling a comprehensive list is a significant task.
Any attempt to determine who shall be let in and who shall be kept out
should lead to noisy debate, which we currently do not observe.

I believe Jim Zemlin's plan to make Claude available to a large number
of "open source" developers is at odds with the desires of Project
Glasswing member firms.  Glasswing is promoted as a small and tight
group while Zemlin calls for throwing the gates wide open.  Without
resolving this conflict the Linux Foundation cannot make progress.

Linux is the name of a kernel, and the Linux Foundation is built
around kernel developers.  Many people wrongly believe that "Linux" is
the whole OS and do not understand that the Linux Foundation has
absolutely no authority over developers of other OS components.  In
fact many developers are not interested in the Linux Foundation and
pay scant or no attention to announcements on their official website.

In contrast when ordinary people hear that the Linux Foundation is a
Glasswing member, they assume that developers of the "Linux OS" would
be given ample time and resources to deal with security issues.
Unfortunately this is not the case.  A dangerous gap between reality
and perception thereof exists.

---

If we want to compile a list of critical system components, where do
we start?  The Debian Popularity Contest may be the starting point:
https://popcon.debian.org/

_______________________________________________
libreplanet-discuss mailing list
[email protected]
https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss

Reply via email to