What do LLMs mean for GnuPG?

[Chandler Davis]

I'll preface this with saying the most I've ever done *for* GnuPG is
contribute
a line or two of documentation. I am simply an enthusiast that likes
to read up
on these discussions, so feel free to take my thoughts with a grain
of salt. 

That being said, I do use LLMs professionally, and the company I work
for also
happens to be building an LLM-centric product. I feel like I've
gotten as good
of a grasp on it as I can without going mad.

On one hand, I have noticed a fair amount of productivity gains,
particularly
with boilerplate but also across the board to some extent. It has
also been an
excellent (if not horrifyingly expensive) rubber duck. 

On the other...

> I do not believe LLMs should be authoring security-sensitive code,
ever.

Absolutely agree. In my opinion, using LLMs to write code necessarily
means
letting things slip through the cracks. *That's* the tradeoff. 

Not to mention, they find solutions that tend towards the average
(whether
correct or flat-out wrong), and the average is not good enough for
code that
people stake their lives on.

Writing good software is inconvenient, but as the saying goes, if was
easy it
wouldn't be worth doing. 

To boil it down to a point, I think LLMs are great as research tools
and
something to bounce ideas off of, and in the right environment, code
generators. I think all but the last of those would seem reasonable
for GnuPG
development.

If I'm not mistaken, the GnuPG project doesn't need to be developed
quickly so much as it
needs to be developed correctly and with much care and consideration,
and
that's roughly the antithesis of so-called "AI-driven development".

As Robert said, I'm also happy to share my experiences with these
tools in and
out of the workplace if anyone's curious. 

“A computer can never be held accountable, therefore a computer must
never make
a management decision.”
- IBM Training Manual, 1979