{
"$type": "site.standard.document",
"bskyPostRef": {
"cid": "bafyreifccgy45khaj4y7ojamwpa3y6ibcxictj2zsn3t2fvuwpujf4hfse",
"uri": "at://did:plc:hqad6xwuzg7oqfmwylfkvqfm/app.bsky.feed.post/3mn7vozigpx32"
},
"path": "/viewtopic.php?t=33488&p=275046#p275046",
"publishedAt": "2026-06-01T08:49:12.000Z",
"site": "http://forum.palemoon.org",
"textContent": "> It's just been insanity. Even Dan Veditz of Mozilla called the inrush of sec bugs in the past months a \"hellscape\" in our communications. Not because sec was bad, but because so much was dumped on them (and by proxy, us), no doubt to cash in on those sweet bounties (often in the couple grand range per incident, if I understood correctly, at Mozilla) by letting an LLM comb through the code and find deviations from what it thinks are the \"right\" coding patterns to use.\n\nThis is admittedly something I have been worried about, because I do follow LLM stuff in the news... that basically, security bugs will be found at such a rapid rate that it will almost overwhelm Mozilla, and possibly drive you to your breaking point. If this is the \"new normal,\" this project may become essentially unmaintainable without new contributors who are capable of helping you with this side of things. I'm hoping it's just the LLMs finding a lot of low-hanging fruit, maybe thinking in ways humans don't or finding patterns we wouldn't, but eventually it will stabilize after a lot of the stuff it finds obvious has been picked over.\n\n> The sec bug code changes weren't rushed. That's just me working full steam for full days on end. I can't do that too often or for too much time without burnout, of course, but it's not overly hurried. The eUXP stuff was indeed rushed and I hated having to do that but I felt severely pressured in that case. Some things weren't exactly ready there and we'll just have to work on ironing out some creases over time.\n\nThat makes sense. I think I was just reading too much into the crashes I saw users had with the point releases and then all the issues with the merged code and started worrying the codebase might be getting a little too full of stuff users haven't fully tested in a real release. It made sense to me when you started that testing program recently, I think we learned from the whole GRE experiment how quickly a ton of new untested code can turn into a nightmare.\n\n\n> Web Compatibility is more stepping back from the first line of support/analysis/mitigation. I need to just step back and have a more filtered view on what is an actual compat problem in the platform and not just one-offs or corner cases. I'd love to be able to fix everything but that just isn't realistic.\n> The new code works is indeed the major change; and I don't like to do it but I am just no longer capable of doing high level project administration and low-level code dives in tandem. It takes a lot of effort to switch between those two very different mindsets multiple times a day.\n\nThe mental image I'm getting from all this... is actually that you're using all the time you'd normally use for low-level code dives on this deluge of security bugs, and thus you're trying to reserve the rest of the time for high-level project administration? Because obviously you are still working on code... it's just that now all that low-level coding falls disproportionately in one category, the security stuff that only you really have the skills to deal with.\n\nIt also does sound like you would fix major web compatibility issues if they come up... but will try to leave the smaller stuff to others, and maybe focus more on the high-level task of creating open research issues if anything (high-level administration), rather than dive in and fix it yourself. That seems reasonable enough.\n\nWell, assessing things over all... I'm back from college, so that might help a bit. I'm glad this didn't happen a year ago when I was busy studying. But overall, this just seems to reinforce my feeling that we can't afford to do something like adopt a \"no AI-generated code\" stance... for one thing, Mozilla will almost certainly be using AI, so anything we get upstream from them has a non-zero chance of being AI generated. For another, we're a smaller project with a community of power users who are probably just short of the skill level needed to write code themselves, and we'd likely be leaving a lot of good code on the table. Should probably talk about that more on another thread, but what I learned here leaves me more convinced we need to learn how to work with these tools as a community.\n\n* * *",
"title": "Platform Development • Re: Stepping back from new code tasks...",
"updatedAt": "2026-06-01T08:49:12.000Z"
}