To further comment, this seems like it might be an intractable task, as the term “dependency hell” kind of implies. You’d have to scrap likely all of GitHub and calculate what libraries are used most frequently in all projects to get an accurate assessment. Then it’s not clear to me how you’d identify their level of resourcing. Number of contributors? Frequency of commits?
Also, with your example of the XZ attack, it’s not even clear who made the attack. If you suspect it was, say, the NSA, would you want to thwart them if their purpose was to protect American interests? (I’m assuming you’re pro-American) Things like zero-days are frequently used by various state actors, and it’s a morally grey question whether or not those uses are justified.
I also, as a comp sci and programmer, have doubts you’d ever be able to 100% prevent the risk of zero-days or something like the XZ attack from happening in open source code. Given how common zero-days seem to be, I suspect there are many in existing open source work that still haven’t been discovered, and that XZ was just a rare exception where someone was caught.
Yes, hardening these systems might somewhat mitigate the risk, but I wouldn’t know how to evaluate how effective such an intervention would be, or even, how you’d harden them exactly. Even if you identify the at-risk projects, you’d need to do something about them. Would you hire software engineers to shore up the weaker projects? Given the cost of competent SWEs these days, that seems potentially expensive, and could compete for funding with actual AI safety work.
Relevant XKCD comic.
To further comment, this seems like it might be an intractable task, as the term “dependency hell” kind of implies. You’d have to scrap likely all of GitHub and calculate what libraries are used most frequently in all projects to get an accurate assessment. Then it’s not clear to me how you’d identify their level of resourcing. Number of contributors? Frequency of commits?
Also, with your example of the XZ attack, it’s not even clear who made the attack. If you suspect it was, say, the NSA, would you want to thwart them if their purpose was to protect American interests? (I’m assuming you’re pro-American) Things like zero-days are frequently used by various state actors, and it’s a morally grey question whether or not those uses are justified.
I also, as a comp sci and programmer, have doubts you’d ever be able to 100% prevent the risk of zero-days or something like the XZ attack from happening in open source code. Given how common zero-days seem to be, I suspect there are many in existing open source work that still haven’t been discovered, and that XZ was just a rare exception where someone was caught.
Yes, hardening these systems might somewhat mitigate the risk, but I wouldn’t know how to evaluate how effective such an intervention would be, or even, how you’d harden them exactly. Even if you identify the at-risk projects, you’d need to do something about them. Would you hire software engineers to shore up the weaker projects? Given the cost of competent SWEs these days, that seems potentially expensive, and could compete for funding with actual AI safety work.