AI contributions into OQS

[christianpaquin]

In the Aug 12th TSC meeting, we discussed about AI assisted/generated code contributions, and what should be our position about that.

As an experiment and to demonstrate the AI capabilities, I asked Chat GPT for improvement suggestions for the library, and to integrate FAEST into the library. This got me started by it couldn't complete the code the request unassisted.

Given that this task in non-trivial, I'd like to try a simpler task, so I'm looking for suggestions (perhaps from our Issues list).

FYI, I'm for accepting AI-assisted contributions, if we require disclosure in PRs.

[baentsch]

open-quantum-safe/oqs-provider#696 is being used as the requested simpler task. For me, that experiment already shows that AI can help (particularly in the absence of human knowledge/a maintainer) but also shows the value of human inspection of a fix, incl. the risk of code this way getting complicated beyond "casual" human inspection, possibly becoming only maintainable by AI. I'm not sure we want this. But then again, if no-one is willing to dive into the code and maintain it, that may be the way forward -- but it feels pretty risky, particularly for "security" code that some want to move to a higher level of reliability.

Open question: Who's the author of such contributions?

My take-away from this: Allow AI contributions, but demand a) disclosure of AI use and b) the author to fully stand behind it with his/her personal reputation (along the lines of "OQS reserves the right to discard without review future contributions by authors who could not satisfactorily explain or move to merge previous AI-generated contributions").

[christianpaquin]

I agree with your take-away: the responsibility should lie with the human contributor, who should declare AI usage. There are various AI tools that do different things: e.g., GitHub Copilot has supported for years code completion (just like popular text email completion) or turning comments into small code snippets. Newer LLM-based tools can now generate or refactor large code bases. Bottom line for both cases: the human contributor should be able to explain what is being pushed.

[christianpaquin]

Interesting article: "More than half of code shipped by senior developers could be AI generated, according to survey findings."

[baentsch]

Thanks for sharing @christianpaquin ! Interesting, indeed but imo the article has two major flaws: 1) It doesn't seem to correct for senior developer's tendency to be slower developing code than junior developers (without the aid of AI, disregarding code quality, of course) and 2) It is mum about what exactly (not just senior developers) consider "production quality code": At least in my experience, senior developers get more "lenient" over the years in that regard as they have been exposed for those more years to the management tendency to push developers to "ship fast and fix later", i.e., put code quality behind speed of delivery. Both points could well serve to explain senior developers to (more) quickly use AI-generated code (plus, of course, their --likely-- higher experience spotting obviously bogus AI code -- as even happened in our little experiment :).

So may I suggest we close this discussion adding wording along the lines proposed above to CONTRIBUTING.md (plus a checkbox "created using AI" to the PR template)?

[dstebila]

So may I suggest we close this discussion adding wording along the lines proposed above to CONTRIBUTING.md (plus a checkbox "created using AI" to the PR template)?

Sounds like a good plan. I would also add it to the new issue template (or we could try out Github's new issue forms if we were feeling ambitious). In addition to a checkbox, I would want them to describe how AI was used to generate the code or any documentation or text in the PR/issue discussion.

[dstebila]

I've created #2269 to update CONTRIBUTING.md and the pull request and issue templates to ask for disclosure on generative AI use.

[AdityaKoranga]

OpenSSF has released some guidance related to this: https://best.openssf.org/Security-Focused-Guide-for-AI-Code-Assistant-Instructions. This might be helpful, have a look

[dstebila]

Thanks for the suggestion, I've added a link to that in the contributing guide.