Lector de Feeds

Introduction

Hi there, blog readers! For the last week or so I've been poking into AI code review tools. Yes, this is partly because of the Red Hat "you must do AI things!" policy. But also, to be honest, because they seem to be...actually good now. I set up AI reviews for pull requests to our openQA test repo as an experiment. But especially over the last couple of months, they've got to the point where well over half of the review notes are actually useful, and the writing style isn't so awful I want to stab myself in the eyeballs. So I'd quite like to keep doing them, but in a more open source-y way. So far I've simply been cloning the pull requests to a GitHub mirror of the repo that exists solely to get AI reviews done. That repo has Gemini Code Assist enabled so the PRs are reviewed by Gemini automatically, e.g. here. It's very simple, but entirely closed source, there's no control over it, and Google could take it away at any time.

We're in the middle of migrating Fedora projects from Pagure to our new Forgejo instance, so I decided to try and get some sort of AI review system integrated with Forgejo. And I kinda succeeded! I wrote a Forgejo integration for ai-code-review, a tool I found that was written by another Red Hatter, and managed to set up a proof-of-concept Forgejo Actions workflow using it on a repo I own that's hosted at Codeberg (since Codeberg has public Forgejo Actions runners available; we don't have Actions entirely set up in the Fedora instance yet). Right now it's using Gemini as the model provider just because that was the easiest thing to set up for a PoC, but ai-code-review's design makes the LLM provider easily pluggable, so it's trivial to swap it out. Long term I hope we'll get a Fedora LLM provider set up, serving open source models, and we can make it use that. There's an Ollama backend, and adding an OpenAI API backend should be pretty easy.

Before going any further with that, though, I decided to look around and see if there are other tools out there, and if so, which might be the best one. I poked around a bit and found a few, and wrote up a very half-assed comparative assessment. I figured this might interest others, so I've prettied it up a tiny bit and put it below. I make no claims that this is comprehensive, accurate or fair, please send all complaints to the happyassassin.net HR department! The takeaway is that I'll probably keep working on the ai-code-review approach and also experiment with forking Qodo's archived open-source pr-agent project and see if I can add Forgejo support to it, to compare it against ai-code-review.

If anyone knows of any I missed, please let me know! I briefly looked at RhodeCode but discounted it because it's a whole-ass forge, not just a review tool. ReviewBoard doesn't seem to have any LLM integration as best as I could tell.

The Contenders ai-code-review

• Repo: https://gitlab.com/redhat/edge/ci-cd/ai-code-review
• Author: Juanje Ojeda (Red Hat)
• Language: Python (typed)
• Architecture: Modular
• Tests: Yes, LLM-generated, fairly comprehensive unit tests, very limited integration tests
• Begun: August 2025
• Status: Active
• Forges: GitLab, GitHub, local changes (Forgejo supported submitted)
• Model providers: Gemini, Anthropic, Ollama
• Output: Console or PR/MR comment
• Deployment: Local execution, GitLab CI, GitHub Actions (one-shot deployment via container image in CI job)
• Prompts: Here

ai-codereview

• Repo: Red Hat internal
• Author: Tuvya Korol (Red Hat)
• Language: Python (untyped)
• Architecture: Monolithic
• Tests: No
• Begun: June 2025
• Status: Active
• Forges: GitLab, local changes
• Model providers: RH-internal Claude, Gemini, Granite
• Output: Console or MR comment
• Deployment: Local execution, GitLab CI (ad hoc deployment via curl/pip in CI job)
• Prompts: Red Hat internal

kodus-ai

• Repo: https://github.com/kodustech/kodus-ai
• Author: Kodus
• Language: Typescript
• Architecture: Modular
• Tests: Yes, handwritten, unit and integration, not sure of coverage
• Begun: April 2025
• Status: Active
• Forges: GitHub, GitLab, BitBucket
• Model providers: OpenAI, Gemini, Anthropic, Novita, OpenRouter, any OpenAI-compatible
• Output: MR/PR comment and/or review (seems to depend on configuration)
• Deployment: Local via yarn (indicated as for development only), as containerized webapp (for prod) with own installer - looks complex
• Prompts: Here

pr-agent

• Repo: https://github.com/qodo-ai/pr-agent
• Author: Qodo (formerly Codium)
• Language: Python (untyped)
• Architecture: Modular
• Tests: Yes, handwritten, unit and integration, somewhat primitive, many commented out, 24% coverage (per codecov)
• Begun: July 2023
• Status: Archived (Nov 2025)
• Forges: GitHub, GitLab, Gitea, Gerrit, BitBucket, AWS CodeCommit, Azure DevOps, local changes
• Model providers: Any OpenAI-compatible (looks like some special handling for Azure), LiteLLM
• Output: MR/PR comment and/or review, has interactive features
• Deployment: Local execution or Forge CI. There's a custom GitHub action but it may be abandoned. Installable via pip, should be trivial to containerize for simple one-shot CI job deployment
• Prompts: Here

ai-pr-reviewer

• Repo: https://github.com/coderabbitai/ai-pr-reviewer
• Author: CodeRabbit
• Language: Typescript
• Architecture: Modular
• Tests: Barely any
• Begun: Feb 2023
• Status: Archived (Nov 2023)
• Forges: GitHub
• Model providers: OpenAI
• Output: PR review/comment
• Deployment: GitHub Action (no longer maintained). No generic or local deployment documented
• Prompts: Here

Conclusions

ai-code-review (Juanje) and pr-agent (Qodo/Codium) seem the best options.

Of the RH-developed, greenfield projects, ai-code-review is more featureful and better architected than ai-codereview, and not tied to an RH-internal model provider.

Of the existing public projects, ai-pr-reviewer (CodeRabbit) was very tied to GitHub, has no documented standalone deployment ability, and was archived fairly early in development. Plus it's in TypeScript. Kodus is actively developed, but similarly is in TypeScript, deployment looks complex, and from what I've seen I don't love its review style. Hard to say why but the project overall gives me a sloppy vibe. pr-agent (Qodo) had the longest development history and seems the most mature and capable at the point where it was abandoned (well, they actually seem to have done a heel turn and gone closed source / SaaS). It has a documented standalone deployment process which looks relatively simple and subject to integration into generic CI workflows.

← Older revision Revision as of 12:01, 16 December 2025 Line 154: Line 154:     [[User:Nikos5446]] [[User:Nikos5446]]  +----  +[[User:Morgano|morgano]] ([[User talk:Morgano|talk]]) 12:01, 16 December 2025 (UTC)  +  +No programming needed. Maybe just pass some parameters to kernel to cache more an write more lazy, maybe setting in fstab, though I am not sure if that really works on Live.  Backside of course is that the more we delay writes, the mare are lost and also more risk of filesystem failure if power are cut or the USB suddenly is plugged put.  https://www.ecosia.org/search?q=disk+write+cache+linux gives some ideas.  Firefox is slow to even launch also on my Thinkpad T3, single core 32 bit with spinning disk.  I have tried light weight browsers, Falkon and some other, but they do not work at all on that system (if I and packagers had more people I would have raised bugs). Morgano

opposite direction?

← Older revision Revision as of 09:25, 16 December 2025 Line 147: Line 147:     I wonder if it is  possible to implement a large write buffer, that dynamically use all free RAM to swallow writes and then write lazily to USB. I wonder if it is  possible to implement a large write buffer, that dynamically use all free RAM to swallow writes and then write lazily to USB.  +----  +  +> I wonder if it is  possible to implement a large write buffer...  +  +That would be far beyond my abilities (no programming knowledge whatsoever). Also, this is far beyond my time schedule. The opposite direction would be to write less: for example use a "mobile" User Agent for the browser that would direct the user to the "lighter" mobile version of a site. That type of tricks...  +  +[[User:Nikos5446]] Nikos5446

Publication date: 15 Dec 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-14321 , CVE-2025-14322 , CVE-2025-14323 , CVE-2025-14324 , CVE-2025-14325 , CVE-2025-14328 , CVE-2025-14329 , CVE-2025-14330 , CVE-2025-14331 , CVE-2025-14333 Description Use-after-free in the WebRTC: Signaling component. (CVE-2025-14321) Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component. (CVE-2025-14322) Privilege escalation in the DOM: Notifications component. (CVE-2025-14323) IT miscompilation in the JavaScript Engine: JIT component. (CVE-2025-14324, CVE-2025-14325, CVE-2025-14330) Privilege escalation in the Netmonitor component. (CVE-2025-14328, CVE-2025-14329) Same-origin policy bypass in the Request Handling component. (CVE-2025-14331) Memory safety bugs fixed in Firefox ESR 140.6, Thunderbird ESR 140.6, Firefox 146 and Thunderbird 146. (CVE-2025-14333) References

• https://bugs.mageia.org/show_bug.cgi?id=34820
• https://www.thunderbird.net/en-US/thunderbird/140.6.0esr/releasenotes/
• https://www.mozilla.org/en-US/security/advisories/mfsa2025-96/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14321
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14322
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14323
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14324
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14325
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14328
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14329
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14330
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14331
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14333

SRPMS 9/core

• thunderbird-140.6.0-1.mga9
• thunderbird-l10n-140.6.0-1.mga9

Publication date: 15 Dec 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-14321 , CVE-2025-14322 , CVE-2025-14323 , CVE-2025-14324 , CVE-2025-14325 , CVE-2025-14328 , CVE-2025-14329 , CVE-2025-14330 , CVE-2025-14331 , CVE-2025-14333 Description Use-after-free in the WebRTC: Signaling component. (CVE-2025-14321) Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component. (CVE-2025-14322) Privilege escalation in the DOM: Notifications component. (CVE-2025-14323) JIT miscompilation in the JavaScript Engine: JIT component. (CVE-2025-14324, CVE-2025-14325, CVE-2025-14330) Privilege escalation in the Netmonitor component. (CVE-2025-14328, CVE-2025-14329) Same-origin policy bypass in the Request Handling component. (CVE-2025-14331) Memory safety bugs fixed in Firefox ESR 140.6, Thunderbird ESR 140.6, Firefox 146 and Thunderbird 146. (CVE-2025-14333) References

• https://bugs.mageia.org/show_bug.cgi?id=34814
• https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/-FCacePkmj8
• https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/V7GVSScpn5w
• https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/qFuz87KunGc
• https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_118.html
• https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_118_1.html
• https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_119.html
• https://www.firefox.com/en-US/firefox/140.6.0/releasenotes/
• https://www.mozilla.org/en-US/security/advisories/mfsa2025-94/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14321
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14322
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14323
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14324
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14325
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14328
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14329
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14330
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14331
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14333

SRPMS 9/core

• nspr-4.38.2-1.mga9
• nss-3.119.0-1.mga9
• firefox-140.6.0-1.mga9
• firefox-l10n-140.6.0-1.mga9

Publication date: 15 Dec 2025
Type: security
Affected Mageia releases : 9
Description Several vulnerabilities have been discovered in the FFmpeg multimedia framework, which could result in denial of service or potentially the execution of arbitrary code if malformed files/streams are processed. References

• https://bugs.mageia.org/show_bug.cgi?id=34832
• https://lists.debian.org/debian-security-announce/2025/msg00245.html

SRPMS 9/core

• ffmpeg-5.1.8-1.mga9

9/tainted

• ffmpeg-5.1.8-1.mga9.tainted

Publication date: 15 Dec 2025
Type: bugfix
Affected Mageia releases : 9
Description Current version has a bogus requirement on python3-sip. Current version misses a python3-lxml requirement. Current version crashes after downloading images. The updated package fixes the reported issues. References

• https://bugs.mageia.org/show_bug.cgi?id=34027
• https://github.com/dglent/sansimera-qt/issues/1

SRPMS 9/core

• sansimera-qt-1.1.0-1.3.mga9

← Older revision Revision as of 12:41, 15 December 2025 Line 55: Line 55:     User:ftg User:ftg  +  +User:geex     User:ghibo User:ghibo Papoteur

← Older revision Revision as of 08:44, 15 December 2025 Line 139: Line 139:     [[User:Nikos5446]] [[User:Nikos5446]]  +----  +[[User:Morgano|morgano]] ([[User talk:Morgano|talk]]) 08:44, 15 December 2025 (UTC)  +  +>> writing is the slowest bottleneck  +  +> A constant reason for freezing and just waiting...  +  +I wonder if it is  possible to implement a large write buffer, that dynamically use all free RAM to swallow writes and then write lazily to USB. Morgano

wget DOWNLOAD_LINK

← Older revision Revision as of 08:28, 15 December 2025 Line 120: Line 120:     If you can come up with a trick to enable users to i.e save files from Firefox, it would be a great addition to that tip :-) If you can come up with a trick to enable users to i.e save files from Firefox, it would be a great addition to that tip :-)  +  +----  +  +> writing is the slowest bottleneck  +  +A constant reason for freezing and just waiting...  +  +> If you can come up with a trick to enable users to i.e save files from Firefox...  +  +The only solution I came up with was to copy the download link (in some cases while it was still "hot", meaning that this often is a temporary link that will expire after, let's say, the connection with the webpage is finished by closing the browser tab).  +Then I would open a terminal and use the command...  + wget DOWNLOAD_LINK  +or...  + wget "DOWNLOAD_LINK"  +if the link address was complicated.  +  +It is not the best tip for beginners though. That's why I was reluctant to add it in the first place. For example, a beginner in linux might not know the "cd" command and would be trying to find the downloaded file all over the place.  +  +[[User:Nikos5446]] Nikos5446

‎Various software: Add 2 bugs

← Older revision Revision as of 20:05, 14 December 2025 Line 197: Line 197:     === Various software === === Various software ===  +{{Bug|34293}}, {{Bug|34812}} Some KDE applications like {{prog|plasmatube}} and {{prog|kdenlive}}, can fail when are installed for use in systems that not include Plasma Desktop with '''module "org.kde.desktop" is not installed''' exist two workarounds see {{Bug|34812#c3}}     {{Bug|34634}} - '''CodeBlocks:''' For now, we had to disable the wxSmith plugin. {{Bug|34634}} - '''CodeBlocks:''' For now, we had to disable the wxSmith plugin. Katnatek

‎Dorsync

← Older revision Revision as of 16:59, 14 December 2025 (One intermediate revision by the same user not shown)Line 197: Line 197:     The ''dorsync'' tool is downloaded by   The ''dorsync'' tool is downloaded by   −  $ wget https://dl.dropboxusercontent.com/u/4147101/QA/dorsync+  $ wget https://gitweb.mageia.org/qa/dorsync/tree/dorsync  See the "ISO_testing_rsync_tools" [[ISO_testing_rsync_tools|Wiki page]] for a fuller note, and setting it up ("Dorsync->Preparation"). If you ''only'' want it as an ISO dumping tool, then just the following item should need defining: See the "ISO_testing_rsync_tools" [[ISO_testing_rsync_tools|Wiki page]] for a fuller note, and setting it up ("Dorsync->Preparation"). If you ''only'' want it as an ISO dumping tool, then just the following item should need defining:    # location is where you stored the ISOs    #   # location is where you stored the ISOs    # Line 207: Line 207:  USB drives found: USB drives found:       Device Size When Found Model      Device Size When Found Model −1) /dev/sdb 4Gb Dydd Llun 17 mis Tachwedd 2014 18:29:29 CET CBM Flash Disk+1) /dev/sdb 4Gb Monday, November 17, 2014 18:29:29 CET CBM Flash Disk  Please choose which USB to use or Q to quit and press <enter>: 1 </nowiki> Please choose which USB to use or Q to quit and press <enter>: 1 </nowiki>  Then it shows a list of ISO images it finds in your ISO directories, for you to chose which one to write out, e.g. Then it shows a list of ISO images it finds in your ISO directories, for you to chose which one to write out, e.g. Line 220: Line 220:    <nowiki>   <nowiki>  About to dump /mnt/common/Mageia/KDE64/Mageia-5-beta1-LiveDVD-KDE4-x86_64-DVD.iso About to dump /mnt/common/Mageia/KDE64/Mageia-5-beta1-LiveDVD-KDE4-x86_64-DVD.iso −onto /dev/sdb (4Gb CBM Flash Disk found at Dydd Llun 17 mis Tachwedd 2014 18:29:29 CET)+onto /dev/sdb (4Gb CBM Flash Disk found at Monday, November 17, 2014 18:29:29 CET)  This will destroy any data already on the USB device. This will destroy any data already on the USB device.  Press Y to confirm or Q to quit: y Press Y to confirm or Q to quit: y Lpsolit