elilla&, travesti ativa antifa @elilla@transmom.love
Public

tech, "AI", bad news

Quoting bsky.app/profile/baldurbjarnas :

As @davidgerard has posted elsewhere, the maintainer of the library HarfBuzz has gone all-in on vibe-coding.

(see: typo.social/@behdad/1161728385 )

A note on why this is a worry in the thread ->

Fonts are a lucrative target. They require a complex parser, usually written in a language that isn't memory safe, and often directly exposed to outside data (websites, PDFs, etc. that contain fonts). This means a flaw could lead to an attack worst case scenario: arbitrary code execution

HarfBuzz is pretty much the only full-featured library for that takes font files, parses them, and returns glyphs ready to render. It is ubiquitous. A security flaw in HarfBuzz could make a good portion of the world's user-facing software (i.e. that renders text) unsafe.

Irrespective of the vibe-coding issue (code review is not an adequate defence against "agent" bugs) this is a piece of software that, due to its position in the industry, should be MORE conservative than the rest. Core infrastructure is not where you want experimentation

Baldur Bjarnason (@baldurbjarnason.com)

As @davidgerard.co.uk has posted elsewhere, the maintainer of the library HarfBuzz has gone all-in on vibe-coding. https://typo.social/@behdad/116172838540880597 and https://xcancel.com/behdadesfahbod/status/2021740189740368004 (apologies for linking to the Twitter proxy service) A note on why this is a worry in the thread ->

bsky.app · Bluesky Social

0
2
0

If you have a fediverse account, you can quote this note from your own instance. Search https://transmom.love/users/elilla/statuses/116178276299858011 on your instance and quote it. (Note that quoting is not supported in Mastodon.)