This post is triggered by two other posts – and I swear, I would rather be writing about my new vim config than this topic.
First, there’s The Boy That Cried Mythos: Verification is Collapsing Trust in Anthropic, which seems to be the most in-depth analysis of how little Anthropic’s claims regarding their Mythos model hold up. Hint: it’s practically meaningless.
Next up, this Mozilla blog post The zero-days are numbered.
Yeah, so. How does this fit together?
Starting at the End
I will quote that latter post’s conclusion here:
Encouragingly, we also haven’t seen any bugs that couldn’t have been found by an elite human researcher. Some commentators predict that future AI models will unearth entirely new forms of vulnerabilities that defy our current comprehension, but we don’t think so. Software like Firefox is designed in a modular way for humans to be able to reason about its correctness. It is complex, but not arbitrarily complex.
The conclusion of the “zero-days are numbered” claim is, AI didn’t really make a difference.
Yeah.
“But wait”, I hear you cry, “there is much more text in the blog post that states how good the models are!”.
Yes. And this is where this posts fucks over the FLOSS community.
Because they base this on the Mythos Preview claims. Which have been shown to not be able to find relevant issues in Firefox, because all they have found? That was with the defense-in-depth mechanisms disabled, that the blog post also mentions are important.
As I wrote in a previous post, there is a strong element of Embrace, Extend, Extinguish in the AI shill game these days. FUD campaigns shouldn’t surprise anyone.
Fear. Uncertainty. Doubt.
Mozilla is now in the game of preying on your insecurities.
Unicorns
What worries me is that Mozilla is unique in its position.
This is not hyperbole. They’re not in a rare position. They’re unique.
No other open source project has the same amount of employed and volunteer contributors, because none have the same funding. None. Whatsoever.
Mozilla’s 2024 annual report records some USD $18 million in salaries and personnel costs.
For the same year, Apache Software Foundation, which lists 300 projects posts… USD $0Wait, I was ignoring around USD $10k in travel expenses. Yeah.
. OpenSSL Foundation says it’s had USD $171k in total.
There is no way to illustrate the level of backing Mozilla’s two flagship products have compared to the rest of the world that does justice to just how much of a unicorn they are.
Here’s an attempt. Let’s look at all expenses for 2024:
Is it fair that I list 10 products for Mozilla, when most folk know only about Firefox and Thunderbird?
Yes.
And no, not really. Because nobody but Mozilla cares.
But yes, I will do so anyway.
| Mozilla | Apache | OpenSSL | |
|---|---|---|---|
| 2024 Expenses | $41,199,350 | $2,162,675 | $171,054 |
| # Projects | 10 | |
|
| $ / project | $4,119,935 | |
$171,054 |
| Ratio | 1 (reference) | |
.41524 |
OpenSSL, arguably one of the most important projects in the world right now due to its cybersecurity impact, receives less than half of the spending than any of Mozilla’s projects.
In case you’re not aware, after Eclipse Foundation, which is the official steward of Java base libraries after ownership was transferred from Oracle, ASF has the largest collection of active Java projects in widespread use.
ASF projects? One. point. seven. five. percent.
And Apache Foundation is doing incredibly well by the standards of most FLOSS projects, financially.
Representation
So in the FLOSS community, we’re in a position now where a handful of orgs make sweeping statements about the state of FLOSS – Mozilla, perhaps Red Hat, Eclipse Foundation isn’t far off – when they demonstrably have a completely different set of problems than the rest of the community.
Mozilla says LLMs find bugs? Nice. You had the funding to give a team of people some months to play around with that.
This does not not generalize. You do not have the budget to make it work for you in the same way.
Therefore, Mozilla is incapable of representing your/FLOSS interests here.
And that is giving the whole thing the benefit of doubt, which is demonstrably a false premise to start from. But whatever.