Proton is vibe coding some of its apps.
::: spoiler Transcript A post by [object Object] (@[email protected]) saying: courtesy of @[email protected], Proton is now the only privacy vendor I know of that vibe codes its apps: In the single most damning thing I can say about Proton in 2025, the Proton GitHub repository has a “cursorrules” file. They’re vibe-coding their public systems. Much secure! I am once again begging anyone who will listen to get off of Proton as soon as reasonably possible, and to avoid their new (terrible) apps in any case. https://circumstances.run/@davidgerard/114961415946154957
It has a reply by the author saying: in an unsurprising update for those familiar with how Proton operates, they silently rewrote their monorepo’s history to purge .cursor and hide that they were vibe coding: https://github.com/ProtonMail/WebClients/tree/2a5e2ad4db0c84f39050bf2353c944a96d38e07f
given the utter lack of communication from Proton on this, I can only guess they’ve extracted .cursor into an external repository and continue to use it out of sight of the public :::
Um, it’s a public repository. You can view the code that’s been added. Even if it IS AI generated, you can review it yourself.
I’m as anti-AI as anyone but this is misplaced AI-alarmism.
Does anyone here actually review code?
Only my own code and so far most of it has been unacceptable.
Pure, unabashed honesty. I love it. 🫶
i once wrote a script to launch a program with specific flags that i think was mostly correct, it holds center place on my CV
Yes, and it's one of the most important things I do. Given the AI codegen boom we're seeing, it's also the skill I have that is increasing the fastest in value.
yes as a consultant/freelancer THIS is where the majority of my work is coming from now. if you're good at this SERIOUSLY consider consulting and freelancing for various companies that are now desperately trying to fix their AI tech debt. It's the ONE thing that is completely in demand right now due to the sheer incompetence of all these places that decided vibe coding and AI was the way to go.
you have no idea how much money you can potentially be making right now doing this. I'm booked solid for the rest of the year purely because of this.
Not gonna really be thing long-term. Up front savings vs customer long term retention. The up front savings are what business cares about. So yeah you'll get some companies who fucked up. Most just double down on the a. I.
What you're doing is entering the bargain-phase
Uh yeah? You’d be stupid not to review code, whether written by an AI or a human. I don’t trust either.
I'm guessing OP means code you use rather than code you write, in other words auditing. Likely very few of us do that with any thoroughness. IIRC proton does have some independent auditing.
That’s what I mean too. Y’all don’t just copy-paste from stack overflow praying it works do you?
That obviously not what they meant. They mean, do you review the code for every open source application you use? Do you review every library you utilize? I'm willing to be it's a no for both of these, because no one has time for that.
No, like proton mail app. Have you reviewed it? Or Signal or Veracrypt or TheNewHotness.
Does anyone here realize that one person using Cursor doesnt mean "tHeY'rE vIbE cOdInG aCrOsS tHe wHoLe pLaCe!"
Then why didn’t they just say that instead of being shady and rewriting history?
Because thier bosses aren't accounta le to you and I? That don't have to say a dn thing
that would make sense if it wasn't a fucking business selling the promise of security lol
Again. They don't answer to us. They don't have to say anything
Now. I agree that they SHOULD. It would be not only be better buisness, BUT its the right thing yo do
But no, they don't. The should.
oh so you just want to be annoyingly pedantic, cool
Because it's also not a great idea to expose your rules files, and tell people first "oh shit, we mentioned rules files. Please don't look!" before
I'll be honest here, I've had less dogmatic conversations with conspiracy theorists about COVID. If you just need to make this a huge problem that later turns out to be a nothingburger and you'll never look back and grow as a human, then hey, you do you. But know that you'll look like a fool to anyone that isn't a goldfish and remembers more than 3 months at a time. Because you clearly don't know what's a big deal and what's not, and this is a Grade A waste of all our time to pitch a fit about.
You're a supervisor and you have 2 employees: Bill and Jim. As a supervisor your job is to ensure the work is being done correctly.
Bill is competent and rarely makes major mistakes. Jim does a decent job most of the time ... but he's also a savant at screwing up -- he regularly fucks up in ways that aren't immediately obvious but are guaranteed to cause serious problems days to weeks from the screw up.
You can glance over Bill's work and be fairly certain it's fine. You need to go over every single piece Jim's work to check for problems, and even then some are probably going to slip through.
AI is currently Jim, and Jim has no business writing code for anything privacy or security focused.
This is a great example since AI isn't taking on the role of an independent software engineer here, so there is no "Jim" and this is much less of an issue than y'all are making it out to be. You know that auto-correct is also a form of ML right? Have you considered that tools can be used responsibly and that standards for software developers still apply even when they use new tools?
Yeah, and I don't fuckin use it.
Also, my auto-correct is saying that sentence is missing a comma, so I guess you don't either.
Cool that's great. Can you tell me that none of the software you use has been developed by software engineers making use of machine learning methods?
I can: I do not use any software.
Hahaha
That is pretty immaterial to the issue. The issue is that when it comes to security, it's extremely poor form to rely on unintelligent mimicry.
Probably anti-Proton. I'm no conspiracy theorist, but the amount of pro BlueSky, anti Proton, anti Signal people I see on Lemmy make me wonder sometimes.
Signal is the sad compromise for the people I hold dearest because I refuse to use Messenger anymore and SMS is a joke with how glaringly unencrypted/de-facto wiretapped it is.
I’d love to get everyone on SimpleX but they already look at me like a wacko over Signal. The convenience tax is just non-negotiable for them and I have no idea how to bypass it.
I used to be a big proponent of simplex even if I dont use it with anyone, but I was told that the main developer supports tr*mp and m*sk... If you go to their github, they only link twitter as their social media and if you check their account...
https://github.com/epoberezkin (dunno if were allowed to share twitter links)
Talks about "far-left radicals", says that nazis were socialist etc. etc. .... Really yikes
TBH I feel like so many project leaders are wackos that I don't even judge the products by those, just by things they do. I still have hope in Simplex, but there were a couple of red flags, such as content scanning proposals, including clientside. Sure, it can probably be relatively easily forked to remove that specific thing, or you can choose the servers that don't do that, but it's still alarming that they try.
Yuck. Well then again we sit in Lemmy, and the lead dev is a proud tankiest tankie. Open source do be like that.
Lol, got a point there
For private communication Signal is the gold standard LOL
Not everyone needs shitty xmpp extensions, Matrix that lacks PFS and is enshitiffying as we speak (I say as an avid user) or overkill like SimpleX or Briar.
You seem to be misinformed. Signals architecture is explicitly designed in a way to minimise metadata as much as possible. You can look up the data they had to hand over due to lawsuits, it was absolutely minimal
I know that Signal runs on US cloud infrastructure (like AWS IRRC)
Doesn't change a thing about it's security or what they hand to disclose to authorities
First - I'm not sure Sealed Sender would help against the server being changed to be actively malicious and trying to build social graphs. Second - even metadata concerns aside, a centralized system is just not resilient. Proposals like Chat Control are A LOT more easily enforceable with them than with tiny selfhosted servers.
The question is not is Proton perfect in every conceivable way, the question is: is it more private than Google and the answer to that is yes.
When you opine on social media that Proton is somehow just as bad as Google you are helping doing the work of Google and that's the part that (again I don't truly believe this) makes me wonder if Google/Meta/Twitter is sowing the social web with seeds of doubt about more private alternatives.
I didn't say defending, I said helping. Which you are.
You may want to double check that.
It really reminds me of the Mastodon mob mentality that caused so much trouble for fosstodon :/
Genuinely most of the people against bluesky/atproto haven't looked into it further than the blogpost by Christine lemmer-webber, and just want to be eliteist about being on the fediverse.
I’d bet they just added it to their global .gitignore where it should be, then removed it because they didn’t want their private dot files committed to a public repo.
I don’t think this user knows much about git works. I don’t think this is nefarious or “vibe coding” as it’s colloquially known to be. It’s a bit much to describe all LLM use blindly as vibe coding, when vibe coding usually means just blanket accepting AI content.
Pretty on point, the .gitignore in the repo has a CLAUDE.md
https://github.com/ProtonMail/WebClients/blob/main/.gitignore
Is the privacy of their code that much of an issue in this case given its a public repo? Its going to get scraped by the bots regardless.
Yeah, this logic would encompass all open source projects. Hell, my comment right now will be read by an AI. Why? I'm posting it in a public place.
Because every interaction with the monster is an influence on its next iteration.
But isn’t this a public repo?
Are we really shitting on companies because they have a config file for the wrong editor? Sorry, a config file for the wrong editor (excluding emacs because be as prejudiced as possible against those folk)?
Do I like "AI First" editors? Hell no. But VSCode is rapidly making that pivot and I don't know the lineage of Cursor well enough to know if it also used to be "just any other editor". And, from a quick google, it supports local LLMs (e.g. ollama), so the "Big AI is going to have all your code" problem is mitigated...
Also, the repo is on Github. Big AI (Microsoft) already HAS all their code. And before we have "Well you should selfhost a gitea!": If your website is public facing, it has been scraped by "AI". And if your open source project is hidden behind ten paywalls? I am not gonna finish that joke because people get really pedantic and pissy when you try to define "Open Source".
At the end of the day: At a project level? If active code review by qualified developers is going on, I really don't care how the code was written. I DO care about those individual developers and their abilities as they continue to use "AI" based tools but... that is a different discussion.
I WOULD be interested in a link to the actual offending file. I've been part of enough projects where it was easier to just have dotfiles for every major editor because you have a wide range of contributors and no true scotsman doesn't have one of the local vimrc style plugins running. Whereas if it is massive instructions on how to generate code, I would get a lot more worried.
But an unsourced screenshot of a discussion thread ain't it.
Privacy for a codebase is not the same as privacy for me. Security through obscurity would be more at odds with privacy for the end user.
How is this proof of vibecoding?
https://docs.cursor.com/en/welcome
Using cursor doesn't mean you're vibe coding.
I use ai all day at work for development, none of it is vibe coding.
Yeah there’s a big difference in code quality between using cursor as an aid to write code and vibe coding which would be asking it to write and debug large swathes of code with little human input. AI is very good at correctly writing a couple lines at a time. It quickly loses the plot when trying to write hundreds of lines or more and the human user has no idea what it’s doing anymore.
Sure, but even VS code has been pushing Copilot pretty hard and from the screenshots the setups look fairly similar. It's a recently released code editor with their own personal AI built in vs. VS Code which has the AI as an extension (or built in, I don't know what the default install is like these days).
If they're using it to auto complete lines of code or fill out boilerplate then I don't see the problem. If they're typing "make me a password manager" into the prompt window, hitting enter, and accepting it blindly, that's a problem. Also the code is (at least in this case) open source, so there should be better evidence of bad vibe coded code than the presence of a config file
I think there are better things to criticise Proton for, and unless there is more to the vibe coding than using the Cursor, citing this as a reason will get those other criticisms ignored in the noise.
It doesn't matter Proton is the whipping boy of the fediverse
I wish it was
If you were smart enough to look for an answer to the actual question being asked instead of assuming it's a rhetorical that agrees with your bias you'd have learned something today.
Cursor is an "ai powered" code editor, cursorrules is a file it uses for configuration.
Unfortunately, so is Visual Studio and VS Code.
The presence of an AI assistant isn't evidence of vibe coding. Even using that AI assistant to auto-complete lines or small sections of boilerplate isn't vibe coding. To do that you need to ask the AI for whole swaths of code and then just accept what it gives you.
Proton's repo here is open source. What portion of it presents issues? Any?
Why would you use Cursor instead of VS (the standard for decades) if you're not going to use the AI features Cursor was specifically created for?
Sure, but cursor is different since it's marketed as an Ai editor. VScode is just a general one.
Ai code is plausible bullshit, it may work, it may have bugs or vulnerabilities. It's harder to spot these since its plausible bullshit.
See, that is just the thing: VS Code is marketed as an AI editor. The homepage is literally an autoplaying video of an AI writing code with this title, big and bold, right at the top of the screen:
Poor choice of words on my part, The only appeal of cursor over vscode is the ai features.
This really depends on what their code review process looks like. When I review code, I honestly don't care how it was generated, I look at the requirements and the code, and determine whether the code meets the requirements. How the code was generated doesn't impact that at all.
Dude, you're flaming a company because one of the tools they use is marketed as using AI? You gotta be kidding me. If your bar for privacy requires you to dive down this deep into a company's asshole, you might as well just become Amish
Poor choice of words on my part, The only appeal of cursor over vscode is the ai features.
this is, after all, why we review and trst code.
Your opinion is based on your ideology of what’s wrong and good, but it is not factual
Do you understand the difference between using AI assistance for coding and vibe code?
Yeah using cursor or any AI assistance != vibe coding. I’m just confused why they acted guilty and edited their history without saying anything
Maybe they did the git stuff for some other reason. I mean the files are still there 🤷🏼♀️
I'm a bit tired of the Proton employee bumped into a tourist and didn'timmediately say sorry sort or posts about proton.
That’s literally the definition of “vibe coding”…
No the "definition" (loose term because it's based on one guys tweet hat invented the word) of vibe coding is to don't read the code, accept any changes and code purely of vibes.
Oh that’s what it means? Ok I think we’re all confused because it’s literally just from one tweet! I need to look this up.
Wait, there is a full Wikipedia article that I knew I looked at recently: https://en.wikipedia.org/wiki/Vibe_coding
This is entirely wrong?
Not entirely, but the crux is here
"Karpathy described it as "fully giving in to the vibes, embracing exponentials, and forgetting that the code even exists.""
I only read the intro and definition sections, but the article lines up exactly with what Evotech said.
From the article you cited. Did you read it?
It's not.
make a directory, init a git repo, start claude code in that directory, feed it a prompt (a good vibe coder will utilize another LLM to write them the prompt), then hit shift+tab a couple times, got watch youtube.
that's vibe coding.
Way to tell on yourself by replying in completely the wrong thread.
And still no drive client for Linux..Fuck those guys :)
Their Linux VPN client might as well not exist. No kill switch and it randomly disconnects/crashes. Sometimes it completely borks networking necessitating a reboot, which I guess can be better than just leaking your IP?
Isolating the VPN into docker + gluetun should (should) solve that particular issue.
I’ve never heard of this before! I read this a bit: https://pimylifeup.com/docker-gluetun/
What is the benefit here? I have no experience with containers, so I’m not really sure what I’m encapsulating there.
A container runs the utility in an isolated environment without having to alter your base system's packages, dependencies, etc. Assuming the bork that necessitates a reboot is not a kernel or hardware issue, this would mean that if you get hit with that issue again in a container, what dies is the container itself, rather than your system as a whole. So you're isolating 1.- package management 2.- network config and (potentially) 3.- "blast radius".
(That said, this is the first time I've ever heard that Proton would bork the networking to the point of requiring a whole system reboot.)
Thanks for explaining!
Don't thank me yet, as I said, this is the first time I've ever heard of this kind of bork, so I'm hoping this would fix / sidestep it! :p
I was thanking you for the explanation. I need to spend some time playing with containers and understanding how to manage applications that way.
tf you mean? kill switch does work, doesn't randomly disconnect and it doesn't really bork it for me. skill issue? guess my distro based on my pfp
Rclone foo!
I’m annoyed because I had to go find a tree that actually had the cursor files. If there’s a smoking gun, you gotta fucking link it when you call someone out.
The irony of Proton attempting to remove it this way is that GitHub trees are permanently available. The only way to remove something once a link has been created is to delete the repo. I’d expect a security-minded company to understand that. To me that’s much more egg-on-face than vibe-coding secure applications. Neither is good; only one very explicitly highlights you don’t know shit about security.
AFAIK, unless that tree has signed commits in the history after the commit introducing the cursor files (or it's otherwise verifiable, like having been linked by a member of their team), that's not a smoking gun.
I remember a meme that was shared a while ago, where somebody forked the Linux kernel on GitHub, made a joke commit under Linus's details (which are NOT verified by design), and posted them around. I can't find an instance of that right now, but here's a somewhat similar example, where somebody put a fake backdoor in their fork and changed the url to the original repo, which lets them pretend the commit came from the original repo.
I'd love to see a smoking gun to confirm those claims, but commiting as somebody else, with a fake time, and editing history aren't that difficult - if they could remove the file from history, somebody else could add it to history.
Absolutely fair! The other commits in that tree for the
.cursorfolder match existing contributors. This unchanged PR and this unchanged PR both contain the same structure. This tree comes from this unmerged, closed PR which also matches. This closed issue, commented on by maintainers, references this tree which corroborates the other unlinked commit tree. (Edit: I stopped because I got bored; see the other unchanged issues and PRs that show a rewrite of history)Attribution is never 100% especially when APTs are concerned. I am confident when I say there is way more evidence here showing the files officially exist and were officially part of the tree than many of the very confident yet unconfirmed APT attributions we actively rely on.
I don't know what APT stands for in this context, but just one PR/comment from a trusted contributor seems like plenty of proof, you really went and did your homework, and then mine too ;D
Advanced Persistent Threat. For example, we assume the Lazarus Group is responsible for several high profile attacks. We don’t have anything close to the evidence here for direct attribution; using that as a bar I’d say the Proton attribution is pretty strong. Since my callout was security-focused, I wanted to ground it in other security terms. Your point was completely spot on and it was a great reminder to me because sometimes I forget the basics.
For folks that don’t know, there are a few bad things with the Proton response. First and foremost, you don’t rewrite
mainever just from a development perspective. It usually causes more trouble than it’s worth unless you’re a team of one and no one else has ever touched your repo. From a security perspective, it’s very misleading to assume rewriting history can clear history from GitHub as I hope I’ve shown here. Additionally, anyone with a local copy of the repo from before the rewrite can use the reflog to access that history. While it won’t work for any new pulls post-rewrite, it’s still a risk for a large repo like this.The correct way to handle this or other sensitive information being added to a repo is to use remove the file in a merge and rotate any secrets exposed. Take the hit on the chin; security is just about reducing risk not removing it. I have cleaned up plenty of repos before. Tools like gitleaks can search your active tree as well as your history for exposed secrets. Delete, commit, own the failure. Proper ignore files, meticulous review, and automated checks also help reduce risk.
Overall that’s why I think this is dumb. To me it would be a non-issue if a security-minded company had used security best practices to handle this.
so if nobody likes proton what do you guys do? i am getting tired of the email shuffle.
I feel like every email post is a "don't use platform x" and there are very few (if any?) universally well received services out there. In which case the community will probably just give up and go back to Google.
We probably need a tier chart or something to add perspective. Proton have made dumb decisions recently but they're still better than Google/Microsoft
I dont hope to find a secure email platform anymore. If i have some info i want to protect i can encrypt it myself before sending, or send it via some secure instant messaging like signal. Email is too hard to make secure, and in he end of the day, the other person youre talking to probably has a gmail or something. Its not worth the hassle imo. There are other ways to have secure communication, outside emails.
This is a great point. We spend so much time naval gazing on the best platform for our side, but what about the other side? Might as well use any old service and encrypt your private comms specifically. Yes it's effort to encrypt but I think it's the best compromise of privacy without housing your own mailserver
it's good to keep secure communications separate anyways, so you don't accidentally send the secret message to the wrong place or without the security measures.
i don't get why people want it in the same place as their fucking gaming chats, imagine sending state secrets to #fursuit-showoff because you didn't notice which specific channel you're in
I've been using Posteo for years and don't have any complaints.
How is the initial storage limit?
I'm not sure what the options all are, but it looks like I have 2 gigs at $1 per month.
I use GPG in Thunderbird with ForwardEmail (because I use a custom domain)
I self host my mail. There are plenty of people telling you not to do so, but I sincerely have made very good experience with it the last 10 years. The absolute minimum you should do is to have your own domain, otherwise you are in a vendor lockin.
Then, use PGP where possible with an open source mail client such as thunderbird.
self host. you can get great deals on domains and have whatever you want. Hell in many cases you can get free domains with hosting. my domain is a .ca (i'm Canadian) and I got it free for 2 years with a hosting plan that costs me $50 a year. So I'm already saving over Proton, It's local to me, and I can have unlimited accounts and bandwidth. I also use it to host my portfolio site.
Then I also have my own home server which I use for VPN, Backups, Bitwarden, Git Repos, torrents/media, even have my own searx search engine on it.
I host other stuff, but isn't email a pain to get working and not marked as spam?
I haven't had any issues with it being marked as spam as of yet.
How far have the mighty fallen.
Thinking of moving my main e-mail address to tuta. Alas, haven't been able to find a good provider that uses tried-and-true protocols like IMAP.
Disroot is in my 👀 now because you guys reminded me it was already, some time ago. Let's see how that one goes!
mailbox.org
Love mailbox.org, got the lite plan for €12 per year and works like a charm. Can use the secure mail address or the reg and just paste your public key into to use with Thunderbird.
I'll be considering it, but if I have to deal with paid services in this good year of Arceus of 2025 I'd prefer them to at least deal with my national currency directly, or fall within my country's jurisdiction.
I've made an exception for SDF simply because 1.- they're awesome and 2.- the payment is one-time-only.
Hold your horses buddy it ain't that bad, but if you want an alternative, Try Disroot
Tried that once, long ago, but I honestly don't remember why I couldn't complete the signup. Maybe an essay, or an issue with e-mail verification.
Might have to take a look at it again!
I would very much consider doing some actual research on tuta. Last I checked, they put a LOT of effort into preventing you from controlling your own inbox (Proton have their god awful sync program but it works). And their support forums were basically nothing but constant complaints of downtimes and outages.
My current approach, that I am slowly migrating everything toward (from gmail), is my own domain that I own and addresses at that. I then use (paid) services to manage the email server and just change my DNS settings so that said emails get routed to the right service. I keep a local copy of all my emails on my desktop (working on a solution to my NAS). So if the company goes to shit? I can migrate my entire existence to a new one within 24 hours (usually less because Cloudflare is really good...).
Currently I use Proton (and hate their sync program). I've seen a LOT of good word on Fastmail and like that they don't have any special sync program at all. Main issue is that Proton still have the best VPN for torrenting (linux ISOs only, obviously) and I need to math out what it would cost to switch to just ProtonVPN and then Fastmail. But (Not That) Will Smith wrote up a really good blog post a few months back where he went into why he likes Fastmail and he (and Brad Shoemaker) tend to be my kind of "Yes, I am making my life harder but for a reason maybe".
not email but are there any good alternatives for cloud storage? i backup some of my passwords and pictures to my proton drive manually
Its not cheap to start with, but the best thing you can do is just go buy a 2 or 4 bay synology (I hear ugreen is also good. Fuck qnap) and set up a local home NAS. The vast majority of people will never need more than that and you can back up all your photos and documents in a form factor you can grab when evacuating a burning building.
For essential stuff where you do want/need an off site backup? All of these cloud services are backed up by Amazon et al storage. Do a bit of research (there are plenty of pre-rolled solutions but people get pissy and annoying) and figure out how to encrypt the important docs and push them to cheap storage. Not free but you are literally paying pennies on the dollar compared to any other paid back-up service and... if the storage is free then you are the product.
Or, if you really don't care: Learn to encrypt your sensitive important data and put it in a google drive.
would hndl be a concern?
That is up to you how much you care and what encryption schemes you use (which I intentionally will not make a recommendation on). Best practices is to maintain your own off site backups but... good luck.
That said? If we reach the point that the "good" encryptions are trivially decryptable then the entire modern world is already collapsing as e'rybody goes after the banks and governments. Otherwise? That is going to cost significant compute resources. How important do you think you are that someone is going to track a random bucket to you and then focus on decrypting those tax documents?
Posteo?
Looks paid, I prefer to discard any possible solutions on my country's currency before I even take a look at having to deal with international KYC shit.
This guy seems somewhat biased against this Proton feller
I don’t really care
ok.
Valid answer!
They provide no evidence of vibe coding at all. Just because someone is using an IDE with AI (which is most now) doesn't prove anything.
No one is using Cursor for the IDE feel; Cursor is just a VSCode without MS language servers and with extra AI. It's an objectively worse experience to use Cursor over VSCode, except if you vibe code.
That's not exactly proof.
If the evil didn’t convince people to abandon Proton, maybe a little bit of AI will. Amazing.
They’re cooked
Because 1 coder used Cursor and a bunch of people on Mastadon immediately went to grab the pitchforks because reasons?
How much you want to bet not a single person having a huff about this pays a cent to Proton for anything, and likely doesn't even use them?
ok and? No other service offers as complete a package as Proton
This is the argument people use when discussing Microsoft products
Is M$ stuff provably e2ee? Is Proton a publicly traded company? Does M$ have even close as good a track record as Proton? Are most M$ clients OSS?
Edit: Proton isn't perfect, not by a long stretch. I'm not stanning them either way, but being alarmist and giving in to mob mentality is counterproductive.
For me they just offer the right balance of being partially OSS, strong privacy and strong security that I can pragmatically "overlook" things even as a leftist and free/libre "hardliner" (as I already mentioned: the pragmatic kind. I don't see a point in using Linux-Libre and am ok with proprietary blobs or "tainted" packages for codecs necessary for piracy if there is no alternative and if they don't cause active harm (as in "phoning home" or shit like that. Linux-libre is a detriment to your security BTW)
Oh lookie here we got another Proton payer slash sucker who likes to rationalize giving money to corporations because "privacy".
I don't mean to sound alarmist, but you seem really naive while trying to lick Proton's boots.
Yeah, I'm hypocritical with proton, I use it myself, but I think people should just pay a bit more attention to what they're doing.
I use it with the full knowledge that they will start to track me and share my IP with Europol if they come with a warrant. (They are unable to comply with anything further, thanks to their e2e architecture)
It is part of my threat model and I use it solely for private stuff.
I couldn't care less that the CEO had one slipup praising a Republican with a seemingly good track record (although I did not investigate that matter)
And being a Luddite about AI is really counterproductive, it has arrived in our society and if correctly utilised will be just another tool used to automate or autocomplete etc.
Basically what your IDE already does but on steroids
(Disclaimer: it's Friday and I'm tired so there is a real – if small – chance I'm being a contrarian armed with superficial knowledge. I can't rly tell myself 🙃)
I don't think using proton is a personal moral failure, I just think these things are worth discussing.
I totally agree, but think that the toot you shared is a bit alarmist
Using a corporation to provide "privacy" is most certainly a logical and moral failing.
How do you know some crappy generated code isn’t doing some kind of stupid logging?
TBH this isn't a great argument for open source code. You know it's not doing something stupid in the exact same way you know a human written application isn't doing something stupid.
1- You review it yourself to double check OR
2- You hope that the community is reviewing it and that you would be made aware of problems OR
3- You just don't know.
Because I know how software development works IRL LOL
I can't wait until you guys get real jobs and then realize that every company that is serious about software development heavily pushes for AI tools such as CLINE or Cursor. I use it at work but I wouldn't say I am vibe coding (mainly because it sucks ass). the reason they deleted the file from the repo is unlikely because they don't want people to know they use AI, it's more likely because AI rules files can contain info that you don't want to be made public
If you're serious about software you push design patterns and code reviews, if you're serious about grifting investors you push LLM nonsense.
I fail to see how those two options are mutually exclusive???
You only start a project/feature once (hopefully), you either do so from sound basic principals or prompting. You don't get to have multiple first priorities.
once again, you think it's an all or nothing scenario, you can use an LLM while also doing code review and basic principles. You are the one telling the AI what to do, it will execute your instructions as you told it to, to the best of today's LLM's capabilities
So many people ignore this and repeat the Big tech PR talking points about AI. I had a colleague enthuse about AI agents, then demonstrate it and say “well it’s currently a little bit shit”
The fuck people! Wake up!
Yea, and people are still mad about it and somehow believe people just copy paste everything without checking
Its like complaining an accountant uses a calculator
A calculator produces reproducible results and does not introduce security flaws into your code that you don't care to look for
Then do care to look for? There are PRs, there is a dev that approves changes. It's stupid to resist agentic AIs when they boost productivity by a lot.
Citation that isn't anecdotes please, only actual study I've seen into this was a ~19% drop and even that was flimsy.
19% drop in what?
https://arstechnica.com/ai/2025/07/study-finds-ai-tools-made-open-source-software-developers-19-percent-slower/
Uh, idk how they got that number. It goes against the observations of literally everyone in the industry, so maybe it's not the industry that is biased, but the benchmark they did is incorrect?
Like just several sprints before I've saved my team by generating proto contracts taking backend repo as a context, as backend was busy with other higher important things to unblock us. No AI here means we would be blocked full stop for the entire sprint. And when backend did generate the contract, it was almost identical, and the diff in contracts allowed to identify the issue in the entities they send.
True, some tasks can be done faster without AI, because you have the context and the amount of code volume is actually fairly low.
But
My brother in Christ, in big enterprise project chances that you have some familiarity with the code, well, they are non-zero, but also not that high.
Scientific study vs anecdotal data, that's what studies are supposed to be, the formalisation and distillation of data into conclusions based on said data.
Possibly, do you know how that's normally tested ?
Anecdote, from a single person.
I don't doubt that that is your experience, but it's just that, your experience.
and before you bring out the "but everyone i know all says the same", that's still anecdotal, it's what anecdotal means.
I mean, sure ? i'm not sure how that is relevant though.
As i said, the one study i've seen is somewhat flimsy....
Do you have literally any other study to backup any claims to the contrary?
My original comment was in response to :
That might be true, but for it to be applicable the productivity boost needs to be real, and for public claims to be taken seriously, provably real.
That you, personally, think you are seeing this is great, works for you.
I’m definitely vibe coding all my stuff, why wouldn’t I? I’m still responsible for what I commit to main but it’s so much faster to get shit done like this
If you don’t break the project style, other code, and you actually test and review what you write, then yea
Yeah that’s the idea. seems like many people are thinking that either you don’t do code reviews at all or you’re writing every line of code yourself even if AI could have done a lot of grunt work.