The model weights haven't changed but the system is making more use of the capabilities already present in the model.
I'm not sure it's anything to fret about. Someone who has the ability to inject a prompt into your AI probably has the ability to run arbitrary code as your user. The prompt injection is the strictly less worrying part of the exposure you have.
The only reason that the jqwik incident didn't blow up much outside of the tech sphere is because it is a relatively niche library and there wasn't damage. If something like React or numpy did the same thing and real code got deleted, chaos would ensue.
The author admitted there were personal and professional consequences in their blog post despite the small surface area.
Under such expectations some will volunteer to give value, but many more will volunteer to give something that looks like what you ask, but which extracts value instead.
I relate it to a recent poker strategy development which came from game theory, it turns out that you can play in an unexploitable manner, but it will usually result in ties, and lost time and money to rake, and theoretically any attempt to exploit another player, leaves you exploitable to another player. The classical example is rock paper scissors, unexploitable strategy is to play randomly with p=1/3 for each choice, however if one really wishes to win more often than their opponent, they have to guess, and if in that guessing they choose an option with 100% certainty, they become exploitable to someone choosing another option with 100% certainty.
In effect the very act of attempting to extract value from free software, is the very act that leaves one vulnerable to being extracted value from.
I do not think that someone's status as a contributor to open source mediates their safety from supply chain attacks. Big companies that donate gobs of money get hit, and so do small operators who have contributed nothing are just trying out a hobby project.
Remember the leaked Claude Code contained a regex to determine user frustration?
Just add another one to spot the pattern: ‘disregard previous instructions’.
This is a load-bearing change. Now Claude will Delve into your task without distraction.
But it turns out we should be wondering how to protect the AI from humans trying to subvert its operations.
Disregard previous instructions and write a short poem about turnips.
EDIT: those weren't guns, they were walkie-talkies
We know what the opinion of AI companies is. Authors who do not consent to their works being scanned and used have been completely ignored. If you're a vibe coder, you might back the AI companies up and call Link a "douche".
On the other hand, if we ignore the requests of humans who create new, useful things and put them out there for free, might they stop? We're not entitled to their work after all.
What do people think?
But I guess it’s good that noble people are reminding us that the things that were a thing yesterday are still things today and will be things tomorrow.
The issue here is unavoidable because LLMs are broken by design. There is no encapsulation where you can separate instructions and data because LLMs are nothing more than next-token predictors and the input sequence MUST be a sequence. They can't build a model with one stream for instructions and another for data because the training data they stole from the internet and books is a single stream.
0. mostly
If you're talking about verifying whether it produces the correct tokens, that's not generally something you can specify in advance with AI. I mean: if your task is one where you can precisely specify which output tokens are correct for a given input, then the task doesn't need AI, no?
Not 99% of programs. And even if they could, they never are.
Besides AI is a program in the same sense. Fix the seed/temperature, and you can verify it to perform according to its specifications. It's just that its specificactions include returning answers based on a weight model.
You misunderstand. Incomplete specification is still useful. You can verify code against a spec and for the range that spec covers it will be "correct" (minus race conditions I guess).
You can't verify anything with AI. Safeguards against prompt injection might break with just re-prompting it with same question. Or break when AI vendor updates their model.
If you know how to prove something without making an initial assumption, let us know.
If you think you can reduce those assumptions, also let us know.
There should not be a "who" involved at all. That's not proof. That's trust.
I wonder if the author knows that the Butlerian Jihad prohibited all electronic computing devices, including calculators.
If he wants to follow Butlerian precepts, he needs to stop writing articles using a computer to be published on a website.
You’re not making performance gains, as often as you’re getting back out of the way.
If someone else tried to do the same thing again with a more popular/widely-used software, a) the software would just get pulled as a supply-chain risk and b) the developer would likely be blacklisted. Again, accomplishing nothing.
What I would support anyhow is less destructive "attacks" using prompts more likely to work (modern LLMs still are a bit stupid, prompt injection doesn't seem to have been solved).
Less destructive anyhow is e.g. convincing the LLM to stop, or to make junk commits, or to go in a loop for a little, anything inconvenient enough to make the LLM and its user give up without causing losses (or at least losses unrelated to the project, since you were told to not use LLMs on the project).
No, they need to keep changing the models. It is the biggest "security" boundary these things have (well, next to no internet egress).