Manual verification that the "judge" judges correctly.

Also, how exactly do you programmatically validate CVEs?

Most open-source CVEs will have a patch linked in their disclosure. You can get vulnerable code via the git diff, then just verify if it is part of the LLM's finding.

Creating more friction can also lead to a higher percentage of bots. I for one immefiately leave when I realize that I need to jump through several hoops before I'm actually allowed to participate on a site. Someone building a bot farm on the other hand is probably willing to tolerate quite some friction before giving up.

That's true. On the other hand, Hacker News is a pretty well known entity, so I think new users would be more willing to put in the time.

I also don't think it's too unreasonable to ask people to make comments and participate in the community before allowing them to do more.

The two that came online in 2023 and 2024 are hardly a success story if you look at their history.

Not really, no. If you use a regex library it is very likely that 80% of that code is effectively dead code.

public interfaces are not dead code

I'd love for you to write a C compiler that does this and then realize how much dead code there is in your C projects.

Yes, I'd love to see the single line being removed, causing security issues. Many others also.

A C compiler is a relatively simple program (especially if you don't want any optimizations based on undefined behavior). If a large part of the userbase is unhappy with the way most modern C compilers work, they could easily write a "friendly"/"boring" C compiler.

Some of those already exist, e.g. https://bellard.org/tcc/

However, they're not in widespread use. I would be curious to learn if there's any data/non-anecdotal information as to why. Is it momentum/inertia of GCC/LLVM/MSVC? Are alternative compilers incomplete and can't actually compile a lot of practical programs (belying the "relatively simple program") claim? Or is the performance differential due to optimizations really so significant that ordinary programs like e.g. vim or libjpeg or VLC or whatnot have significant degradations when built on an alternative compiler?

Everyone who works for a living is about to have a really bad time.

The initial sign for Xr0 never seemed promising for anyone with experience in formal verification. Neither the code nor the ideas they presented were new. I asked them multiple times to clarify how their project differed from the dozens of already existing options for formal verfication of C programs and never got a concrete answer.

As I see it: tracking (de)allocation in a very simple, understandable way. Unfortunately, that seems to be all it does. It's a start, certainly if you don't want to/cannot use a more complete system, since they can be quite complex. I'm not following this space professionally, only out of interest a bit, but do you know of a system that is so simple?

Xr0 isn't any simpler than for example Frama-C. In fact one of the simplest (but still useful) systems for statically tracking ownership is Rusts borrow checker, which the authors of Xr0 say is _too_ simple.