Technology

Security is where the gap shows most clearly

So, this is an area where I'm also pretty skeptical. It might be possible to address some of the security issues by making minor shifts away from a pure-LLM system. There are (conventional) security code-analysis tools out there, stuff like Coverity. Like, maybe if one says "all of the code coming out of this LLM gets rammed through a series of security-analysis tools", you catch enough to bring the security flaws down to a tolerable level.

One item that they highlight is the problem of API keys being committed. I'd bet that there's already software that will run on git-commit hooks that will try to red-flag those, for example. Yes, in theory an LLM could embed them into code in some sort of obfuscated form that slips through, but I bet that it's reasonable to have heuristics that can catch most of that, that will be good-enough, and that such software isn't terribly difficult to write.

But in general, I think that LLMs and image diffusion models are, in their present form, more useful for generating output that a human will consume than that a CPU will consume. CPUs are not tolerant of errors in programming languages. Humans often just need an approximately-right answer, to cue our brains, which itself has the right information to construct the desired mental state. An oil painting isn't a perfect rendition of the real world, but it's good enough, as it can hint to us what the artist wanted to convey by cuing up the appropriate information about the world that we have in our brains.

This Monet isn't a perfect rendition of the world. But because we have knowledge in our brain about what the real world looks like, there's enough information in the painting to cue up the right things in our head to let us construct a mental image.

Ditto for rough concept art. Similarly, a diffusion model can get an image approximately right

some errors often just aren't all that big a deal.

But a lot of what one is producing when programming is going to be consumed by a CPU that doesn't work the way that a human brain does. A significant error rate isn't good enough; the CPU isn't going to patch over flaws and errors itself using its knowledge of what the program should do.

EDIT:

I’d bet that there’s already software that will run on git-commit hooks that will try to red-flag those, for example.

Yes. Here are instructions for setting up trufflehog to run on git pre-commit hooks to do just that.

EDIT2: Though you'd need to disable this trufflehog functionality and have some out-of-band method for flagging false positives, or an LLM could learn to bypass the security-auditing code by being trained on code that overrides false positives:

Add trufflehog:ignore comments on lines with known false positives or risk-accepted findings