- cross-posted to:
- fuck_ai@lemmy.world
- privacy@lemmy.ml
- cross-posted to:
- fuck_ai@lemmy.world
- privacy@lemmy.ml
Transcript
A post by [object Object] (@zzt@mas.to) saying: courtesy of @davidgerard@circumstances.run, Proton is now the only privacy vendor I know of that vibe codes its apps: In the single most damning thing I can say about Proton in 2025, the Proton GitHub repository has a “cursorrules” file. They’re vibe-coding their public systems. Much secure! I am once again begging anyone who will listen to get off of Proton as soon as reasonably possible, and to avoid their new (terrible) apps in any case. https://circumstances.run/@davidgerard/114961415946154957
It has a reply by the author saying: in an unsurprising update for those familiar with how Proton operates, they silently rewrote their monorepo’s history to purge .cursor and hide that they were vibe coding: https://github.com/ProtonMail/WebClients/tree/2a5e2ad4db0c84f39050bf2353c944a96d38e07f
given the utter lack of communication from Proton on this, I can only guess they’ve extracted .cursor into an external repository and continue to use it out of sight of the public
You must log in or # to comment.
so if nobody likes proton what do you guys do? i am getting tired of the email shuffle.
self host. you can get great deals on domains and have whatever you want. Hell in many cases you can get free domains with hosting. my domain is a .ca (i’m Canadian) and I got it free for 2 years with a hosting plan that costs me $50 a year. So I’m already saving over Proton, It’s local to me, and I can have unlimited accounts and bandwidth. I also use it to host my portfolio site.
Then I also have my own home server which I use for VPN, Backups, Bitwarden, Git Repos, torrents/media, even have my own searx search engine on it.
I’ve been using Posteo for years and don’t have any complaints.
I feel like every email post is a “don’t use platform x” and there are very few (if any?) universally well received services out there. In which case the community will probably just give up and go back to Google.
We probably need a tier chart or something to add perspective. Proton have made dumb decisions recently but they’re still better than Google/Microsoft
I’m annoyed because I had to go find a tree that actually had the cursor files. If there’s a smoking gun, you gotta fucking link it when you call someone out.
The irony of Proton attempting to remove it this way is that GitHub trees are permanently available. The only way to remove something once a link has been created is to delete the repo. I’d expect a security-minded company to understand that. To me that’s much more egg-on-face than vibe-coding secure applications. Neither is good; only one very explicitly highlights you don’t know shit about security.
AFAIK, unless that tree has signed commits in the history after the commit introducing the cursor files (or it’s otherwise verifiable, like having been linked by a member of their team), that’s not a smoking gun.
I remember a meme that was shared a while ago, where somebody forked the Linux kernel on GitHub, made a joke commit under Linus’s details (which are NOT verified by design), and posted them around. I can’t find an instance of that right now, but here’s a somewhat similar example, where somebody put a fake backdoor in their fork and changed the url to the original repo, which lets them pretend the commit came from the original repo.
I’d love to see a smoking gun to confirm those claims, but commiting as somebody else, with a fake time, and editing history aren’t that difficult - if they could remove the file from history, somebody else could add it to history.
Absolutely fair! The other commits in that tree for the
.cursorfolder match existing contributors. This unchanged PR and this unchanged PR both contain the same structure. This tree comes from this unmerged, closed PR which also matches. This closed issue, commented on by maintainers, references this tree which corroborates the other unlinked commit tree. (Edit: I stopped because I got bored; see the other unchanged issues and PRs that show a rewrite of history)Attribution is never 100% especially when APTs are concerned. I am confident when I say there is way more evidence here showing the files officially exist and were officially part of the tree than many of the very confident yet unconfirmed APT attributions we actively rely on.
I don’t know what APT stands for in this context, but just one PR/comment from a trusted contributor seems like plenty of proof, you really went and did your homework, and then mine too ;D
Its like complaining an accountant uses a calculator
A calculator produces reproducible results and does not introduce security flaws into your code that you don’t care to look for
Then do care to look for? There are PRs, there is a dev that approves changes. It’s stupid to resist agentic AIs when they boost productivity by a lot.
i would not trust an accountant who lacks traditional math skills and also that uses a calculator that occasionally returns random numbers
I’ll hold my judgment given that this source of this is that massive asshole, David Gerard.
Do you understand the difference between using AI assistance for coding and vibe code?
Yeah using cursor or any AI assistance != vibe coding. I’m just confused why they acted guilty and edited their history without saying anything
That’s literally the definition of “vibe coding”…
No the “definition” (loose term because it’s based on one guys tweet hat invented the word) of vibe coding is to don’t read the code, accept any changes and code purely of vibes.
Wait, there is a full Wikipedia article that I knew I looked at recently: https://en.wikipedia.org/wiki/Vibe_coding
This is entirely wrong?
I only read the intro and definition sections, but the article lines up exactly with what Evotech said.
One is completely idiotic and dangerous and the other is merely stupid and risky?
OK Luddite
We’re talking about a privacy-first platform, but ok.
Hey, guess what: Luddites were not afraid of technological advancement. They were a solidarity movement to ensure they got fair treatment from owners and managers as their jobs changed with the industrial revolution. You tried to insult someone, but essentially called them pro-union, which is pretty cool, imo. Check out Blood In The Machine.
WORKERS FIRST!
at least I can write code without a LLM babysitter.
I wire my code by hand like a real coder.
No punch cards?
I use butterflies
Nawww good job! Do you want a golden star for writing all that boiler plate, getter/setter methods etc. by hand?
Your syntax and overall comprehension are pretty shite. You may not vibe code, (allegedly) but you may be better off vibe posting. I know the rest of us would be, that way. 🤢🤌🏼
Buddy, if you were writing all that boilerplate by hand before AI, then AI wasn’t the solution to your problems. It takes almost no time at all to write a parameterized code snippet in any modern IDE
ok and? No other service offers as complete a package as Proton
This is the argument people use when discussing Microsoft products
Is M$ stuff provably e2ee? Is Proton a publicly traded company? Does M$ have even close as good a track record as Proton? Are most M$ clients OSS?
Edit; Proton isn’t perfect, not by a long stretch. I’m not stanning them either way, but being alarmist and giving in to mob mentality is counterproductive.
For me they just offer the right balance of being partially OSS, strong privacy and strong security that I can pragmatically “overlook” things even as a leftist and free/libre “hardliner” (as I already mentioned: the pragmatic kind. I don’t see a point in using Linux-Libre and am ok with proprietary blobs or “tainted” packages for codecs necessary for piracy if there is no alternative and if they don’t cause active harm (as in “phoning home” or shit like that. Linux-libre is a detriment to your security BTW)
Oh lookie here we got another Proton payer slash sucker who likes to rationalize giving money to corporations because “privacy”.
I don’t mean to sound alarmist, but you seem really naive while trying to lick Proton’s boots.
Yeah, I’m hypocritical with proton, I use it myself, but I think people should just pay a bit more attention to what they’re doing.
I use it with the full knowledge that they will start to track me and share my IP with Europol if they come with a warrant. (They are unable to comply with anything further, thanks to their e2e architecture)
It is part of my threat model and I use it solely for private stuff.
I couldn’t care less that the CEO had one slipup praising a Republican with a seemingly good track record (although I did not investigate that matter)
And being a Luddite about AI is really counterproductive, it has arrived in our society and if correctly utilised will be just another tool used to automate or autocomplete etc.
Basically what your IDE already does but on steroids
(Disclaimer: it’s Friday and I’m tired so there is a real – if small – chance I’m being a contrarian armed with superficial knowledge. I can’t rly tell myself 🙃)
They are unable to comply with anything further, thanks to their e2e architecture
How do you know some crappy generated code isn’t doing some kind of stupid logging?
TBH this isn’t a great argument for open source code. You know it’s not doing something stupid in the exact same way you know a human written application isn’t doing something stupid.
1- You review it yourself to double check OR
2- You hope that the community is reviewing it and that you would be made aware of problems OR
3- You just don’t know.
Because I know how software development works IRL LOL
I don’t think using proton is a personal moral failure, I just think these things are worth discussing.
I totally agree, but think that the toot you shared is a bit alarmist
I don’t really care
ok.
Valid answer!
What question do you think you asked?
There never was a question
Kind of the point I was making…
Can answers only be given for questions, or can they also mean ”reaction"?
Yes.
And still no drive client for Linux…Fuck those guys :)
Rclone foo!
Their Linux VPN client might as well not exist. No kill switch and it randomly disconnects/crashes. Sometimes it completely borks networking necessitating a reboot, which I guess can be better than just leaking your IP?
tf you mean? kill switch does work, doesn’t randomly disconnect and it doesn’t really bork it for me. skill issue? guess my distro based on my pfp
Isolating the VPN into docker + gluetun should (should) solve that particular issue.
I just use plain old openvpn configs. Once my credit runs out ill switch to mullvad. They were the best option for a time, but that changes.
This guy seems somewhat biased against this Proton feller
I’m definitely vibe coding all my stuff, why wouldn’t I? I’m still responsible for what I commit to main but it’s so much faster to get shit done like this
If you don’t break the project style, other code, and you actually test and review what you write, then yea
Yeah that’s the idea. seems like many people are thinking that either you don’t do code reviews at all or you’re writing every line of code yourself even if AI could have done a lot of grunt work.
I can’t wait until you guys get real jobs and then realize that every company that is serious about software development heavily pushes for AI tools such as CLINE or Cursor. I use it at work but I wouldn’t say I am vibe coding (mainly because it sucks ass). the reason they deleted the file from the repo is unlikely because they don’t want people to know they use AI, it’s more likely because AI rules files can contain info that you don’t want to be made public
All large corpos are pushing this on all of their paper pushers… That’s why this AI is called LLM
It is a tool… It is as good as the person using it
It is a tool… It is as good as the person using it
Yea, and people are still mad about it and somehow believe people just copy paste everything without checking
To be fair, fake news got them work up about how it will take ur jerb…
Anyone one with any w2 slavery experience will quickly asses that ain’t true…
But they miss the part where it is a tool and it scale with your skill level. Anyone using to try to get the right answer will fail.
Smart user will uses in the work flow where it helps and just keep doing their job otherwise
It will put pressure on entry level. But it ain’t replacing mid level cogs that actually do all the work
mainly because it sucks ass
So many people ignore this and repeat the Big tech PR talking points about AI. I had a colleague enthuse about AI agents, then demonstrate it and say “well it’s currently a little bit shit”
The fuck people! Wake up!
If you’re serious about software you push design patterns and code reviews, if you’re serious about grifting investors you push LLM nonsense.
I fail to see how those two options are mutually exclusive???
You only start a project/feature once (hopefully), you either do so from sound basic principals or prompting. You don’t get to have multiple first priorities.
once again, you think it’s an all or nothing scenario, you can use an LLM while also doing code review and basic principles. You are the one telling the AI what to do, it will execute your instructions as you told it to, to the best of today’s LLM’s capabilities
Um, it’s a public repository. You can view the code that’s been added. Even if it IS AI generated, you can review it yourself.
I’m as anti-AI as anyone but this is misplaced AI-alarmism.
can review it yourself.
You’re a supervisor and you have 2 employees: Bill and Jim. As a supervisor your job is to ensure the work is being done correctly.
Bill is competent and rarely makes major mistakes. Jim does a decent job most of the time … but he’s also a savant at screwing up – he regularly fucks up in ways that aren’t immediately obvious but are guaranteed to cause serious problems days to weeks from the screw up.
You can glance over Bill’s work and be fairly certain it’s fine. You need to go over every single piece Jim’s work to check for problems, and even then some are probably going to slip through.
AI is currently Jim, and Jim has no business writing code for anything privacy or security focused.
That is pretty immaterial to the issue. The issue is that when it comes to security, it’s extremely poor form to rely on unintelligent mimicry.
Probably anti-Proton. I’m no conspiracy theorist, but the amount of pro BlueSky, anti Proton, anti Signal people I see on Lemmy make me wonder sometimes.
It really reminds me of the Mastodon mob mentality that caused so much trouble for fosstodon :/
Genuinely most of the people against bluesky/atproto haven’t looked into it further than the blogpost by Christine lemmer-webber, and just want to be eliteist about being on the fediverse.
Proton CEO did it to the company…
Signal requires a phone number… If you don’t see an issue with that… Then you live in a better place than the rest of us. I am happy for you.
The question is not is Proton perfect in every conceivable way, the question is: is it more private than Google and the answer to that is yes.
When you opine on social media that Proton is somehow just as bad as Google you are doing the work of Google and that’s the part that (again I don’t truly believe this) makes me wonder if Google/Meta/Twitter is sowing the social web with seeds of doubt about more private alternatives.
Proton ceo is a pedo king bootlicker and their product lacks focus was my criticism.
You ain’t never gonna catch me defending sundae the creep and rest of then parasites
for private communication Signal is the gold standard lol
Not everyone needs shitty xmpp extensions, Matrix that lacks PFS and is enshitiffying as we speak (I say as an avid user) or overkill like Simple X or Briar.
Sure… But you are also feeding NSA meta data on your communications which is whatever I guess for most people but I don’t like it
You seem to be misinformed. Signals architecture is explicitly designed in a way to minimise metadata as much as possible. You can look up the data they had to hand over due to lawsuits, it was absolutely minimal
minimise
Just enough, just enough
Download portmaster and review signal connections ;)
I know that Signal runs on US cloud infrastructure (like AWS IRRC)
Doesn’t change a thing about it’s security or what they had to disclose to authorities
Signal is the sad compromise for the people I hold dearest because I refuse to use Messenger anymore and SMS is a joke with how glaringly unencrypted/de-facto wiretapped it is.
I’d love to get everyone on SimpleX but they already look at me like a wacko over Signal. The convenience tax is just non-negotiable for them and I have no idea how to bypass it.
I used to be a big proponent of simplex even if I dont use it with anyone, but I was told that the main developer supports tr*mp and m*sk… If you go to their github, they only link twitter as their social media and if you check their account…
https://github.com/epoberezkin (dunno if were allowed to share twitter links)
Talks about “far-left radicals”, says that nazis were socialist etc. etc. … Really yikes
Yuck. Well then again we sit in Lemmy, and the lead dev is a proud tankiest tankie. Open source do be like that.
Simplex ain’t ready… So ain’t pushing it as of now.
Once it is normie ready, I will start the move.
Signal is a temp solution
With that being said, I agree 100% with your comment. We work with what we got today!
Does anyone here actually review code?
Yes, and it’s one of the most important things I do. Given the AI codegen boom we’re seeing, it’s also the skill I have that is increasing the fastest in value.
yes as a consultant/freelancer THIS is where the majority of my work is coming from now. if you’re good at this SERIOUSLY consider consulting and freelancing for various companies that are now desperately trying to fix their AI tech debt. It’s the ONE thing that is completely in demand right now due to the sheer incompetence of all these places that decided vibe coding and AI was the way to go.
you have no idea how much money you can potentially be making right now doing this. I’m booked solid for the rest of the year purely because of this.
Does anyone here realize that one person using Cursor doesnt mean “tHeY’rE vIbE cOdInG aCrOsS tHe wHoLe pLaCe!”
Then why didn’t they just say that instead of being shady and rewriting history?
Because it’s also not a great idea to expose your rules files, and tell people first “oh shit, we mentioned rules files. Please don’t look!” before
I’ll be honest here, I’ve had less dogmatic conversations with conspiracy theorists about COVID. If you just need to make this a huge problem that later turns out to be a nothingburger and you’ll never look back and grow as a human, then hey, you do you. But know that you’ll look like a fool to anyone that isn’t a goldfish and remembers more than 3 months at a time. Because you clearly don’t know what’s a big deal and what’s not, and this is a Grade A waste of all our time to pitch a fit about.
Uh yeah? You’d be stupid not to review code, whether written by an AI or a human. I don’t trust either.
I’m guessing OP means code you use rather than code you write, in other words auditing. Likely very few of us do that with any thoroughness. IIRC proton does have some independent auditing.
That’s what I mean too. Y’all don’t just copy-paste from stack overflow praying it works do you?
That obviously not what they meant. They mean, do you review the code for every open source application you use? Do you review every library you utilize? I’m willing to be it’s a no for both of these, because no one has time for that.
No, like proton mail app. Have you reviewed it? Or Signal or Veracrypt or TheNewHotness.
Only my own code and so far most of it has been unacceptable.
Pure, unabashed honesty. I love it. 🫶
I’d bet they just added it to their global .gitignore where it should be, then removed it because they didn’t want their private dot files committed to a public repo.
I don’t think this user knows much about git works. I don’t think this is nefarious or “vibe coding” as it’s colloquially known to be. It’s a bit much to describe all LLM use blindly as vibe coding, when vibe coding usually means just blanket accepting AI content.
Pretty on point, the .gitignore in the repo has a CLAUDE.md
https://github.com/ProtonMail/WebClients/blob/main/.gitignore
I don’t think the concern is as much with the purity of their vibe coding, but rather that they’re using an AI-first editor. This will almost certainly mean everything they’re coding is being shared with AI provider(s) during the process, which some would view as at odds with Proton’s stated emphasis on privacy.
Privacy for a codebase is not the same as privacy for me. Security through obscurity would be more at odds with privacy for the end user.
Are we really shitting on companies because they have a config file for the wrong editor? Sorry, a config file for the wrong editor (excluding emacs because be as prejudiced as possible against those folk)?
Do I like “AI First” editors? Hell no. But VSCode is rapidly making that pivot and I don’t know the lineage of Cursor well enough to know if it also used to be “just any other editor”. And, from a quick google, it supports local LLMs (e.g. ollama), so the “Big AI is going to have all your code” problem is mitigated…
Also, the repo is on Github. Big AI (Microsoft) already HAS all their code. And before we have “Well you should selfhost a gitea!”: If your website is public facing, it has been scraped by “AI”. And if your open source project is hidden behind ten paywalls? I am not gonna finish that joke because people get really pedantic and pissy when you try to define “Open Source”.
At the end of the day: At a project level? If active code review by qualified developers is going on, I really don’t care how the code was written. I DO care about those individual developers and their abilities as they continue to use “AI” based tools but… that is a different discussion.
I WOULD be interested in a link to the actual offending file. I’ve been part of enough projects where it was easier to just have dotfiles for every major editor because you have a wide range of contributors and no true scotsman doesn’t have one of the local vimrc style plugins running. Whereas if it is massive instructions on how to generate code, I would get a lot more worried.
But an unsourced screenshot of a discussion thread ain’t it.
I wasn’t shitting on anybody. You’re ranting is misdirected.
But isn’t this a public repo?
Is the privacy of their code that much of an issue in this case given its a public repo? Its going to get scraped by the bots regardless.
The committed code in the repo will get scraped anyway, but the data used in testing is a different story. Not that anyone’s ever tested with prod data.
I don’t think the issue is a practical one though. It’s more the company that stands on promises of privacy using tools that are overtly share-happy that seems to be a ideological discrepancy.
But in case my initial comment’s “I don’ think…” wasn’t clear enough, this was my attempt at understanding why this might be a concern (or at least of interest) to folks in this community, not a personal statement of condemnation or anything. I personally could not give less of a shit what code editor they use.
Yeah, this logic would encompass all open source projects. Hell, my comment right now will be read by an AI. Why? I’m posting it in a public place.
Because every interaction with the monster is an influence on its next iteration.
How far have the mighty fallen.
Thinking of moving my main e-mail address to tuta. Alas, haven’t been able to find a good provider that uses tried-and-true protocols like IMAP.
Posteo?
I would very much consider doing some actual research on tuta. Last I checked, they put a LOT of effort into preventing you from controlling your own inbox (Proton have their god awful sync program but it works). And their support forums were basically nothing but constant complaints of downtimes and outages.
My current approach, that I am slowly migrating everything toward (from gmail), is my own domain that I own and addresses at that. I then use (paid) services to manage the email server and just change my DNS settings so that said emails get routed to the right service. I keep a local copy of all my emails on my desktop (working on a solution to my NAS). So if the company goes to shit? I can migrate my entire existence to a new one within 24 hours (usually less because Cloudflare is really good…).
Currently I use Proton (and hate their sync program). I’ve seen a LOT of good word on Fastmail and like that they don’t have any special sync program at all. Main issue is that Proton still have the best VPN for torrenting (linux ISOs only, obviously) and I need to math out what it would cost to switch to just ProtonVPN and then Fastmail. But (Not That) Will Smith wrote up a really good blog post a few months back where he went into why he likes Fastmail and he (and Brad Shoemaker) tend to be my kind of “Yes, I am making my life harder but for a reason maybe”.
not email but are there any good alternatives for cloud storage? i backup some of my passwords and pictures to my proton drive manually
Hold your horses buddy it ain’t that bad, but if you want an alternative, Try Disroot
Love mailbox.org, got the lite plan for €12 per year and works like a charm. Can use the secure mail address or the reg and just paste your public key into to use with Thunderbird.
That’s what I’m in the process of switching to
How is this proof of vibecoding?
Cursor is an AI-powered code editor that understands your codebase and helps you code faster through natural language. Just describe what you want to build or change and Cursor will generate the code for you.
Sure, but even VS code has been pushing Copilot pretty hard and from the screenshots the setups look fairly similar. It’s a recently released code editor with their own personal AI built in vs. VS Code which has the AI as an extension (or built in, I don’t know what the default install is like these days).
If they’re using it to auto complete lines of code or fill out boilerplate then I don’t see the problem. If they’re typing “make me a password manager” into the prompt window, hitting enter, and accepting it blindly, that’s a problem. Also the code is (at least in this case) open source, so there should be better evidence of bad vibe coded code than the presence of a config file
I think there are better things to criticise Proton for, and unless there is more to the vibe coding than using the Cursor, citing this as a reason will get those other criticisms ignored in the noise.
Using cursor doesn’t mean you’re vibe coding.
I use ai all day at work for development, none of it is vibe coding.
Yeah there’s a big difference in code quality between using cursor as an aid to write code and vibe coding which would be asking it to write and debug large swathes of code with little human input. AI is very good at correctly writing a couple lines at a time. It quickly loses the plot when trying to write hundreds of lines or more and the human user has no idea what it’s doing anymore.
Cursor is an “ai powered” code editor, cursorrules is a file it uses for configuration.
Unfortunately, so is Visual Studio and VS Code.
The presence of an AI assistant isn’t evidence of vibe coding. Even using that AI assistant to auto-complete lines or small sections of boilerplate isn’t vibe coding. To do that you need to ask the AI for whole swaths of code and then just accept what it gives you.
Proton’s repo here is open source. What portion of it presents issues? Any?
Why would you use Cursor instead of VS (the standard for decades) if you’re not going to use the AI features Cursor was specifically created for?
Sure, but cursor is different since it’s marketed as an Ai editor. VScode is just a general one.
Proton’s repo here is open source. What portion of it presents issues? Any?
Ai code is plausible bullshit, it may work, it may have bugs or vulnerabilities. It’s harder to spot these since its plausible bullshit.
Your opinion is based on your ideology of what’s wrong and good, but it is not factual
Dude, you’re flaming a company because one of the tools they use is marketed as using AI? You gotta be kidding me. If your bar for privacy requires you to dive down this deep into a company’s asshole, you might as well just become Amish
Poor choice of words on my part, The only appeal of cursor over vscode is the ai features.
this is, after all, why we review and trst code.
but cursor is different since it’s marketed as an Ai editor. VScode is just a general one.
See, that is just the thing: VS Code is marketed as an AI editor. The homepage is literally an autoplaying video of an AI writing code with this title, big and bold, right at the top of the screen:
Poor choice of words on my part, The only appeal of cursor over vscode is the ai features.
This really depends on what their code review process looks like. When I review code, I honestly don’t care how it was generated, I look at the requirements and the code, and determine whether the code meets the requirements. How the code was generated doesn’t impact that at all.
It doesn’t matter Proton is the whipping boy of the fediverse
If you were smart enough to look for an answer to the actual question being asked instead of assuming it’s a rhetorical that agrees with your bias you’d have learned something today.
I wish it was
