cross-posted from: https://lemmy.dbzer0.com/post/50693956
Transcript
A post by [object Object] (@zzt@mas.to) saying: courtesy of @davidgerard@circumstances.run, Proton is now the only privacy vendor I know of that vibe codes its apps: In the single most damning thing I can say about Proton in 2025, the Proton GitHub repository has a “cursorrules” file. They’re vibe-coding their public systems. Much secure! I am once again begging anyone who will listen to get off of Proton as soon as reasonably possible, and to avoid their new (terrible) apps in any case. https://circumstances.run/@davidgerard/114961415946154957
It has a reply by the author saying: in an unsurprising update for those familiar with how Proton operates, they silently rewrote their monorepo’s history to purge .cursor and hide that they were vibe coding: https://github.com/ProtonMail/WebClients/tree/2a5e2ad4db0c84f39050bf2353c944a96d38e07f
given the utter lack of communication from Proton on this, I can only guess they’ve extracted .cursor into an external repository and continue to use it out of sight of the public
You must log in or # to comment.
self-hosting email, text based clients and a deeper understanding of the protocol made me start to love email. I didn’t think it was possible to love email.
I dont see any problem with AI coding. It can be done without the editor supporting it by just asking for a function like please implement a sort function given a list of numbers.
Proton code is open source, so all AI agents have already read everything. You as user just have to do the code review, fix it and test. I am not seeing any problem here.
The only way to completely avoid things developed by vibe coding will be to stop using computers of any kind. Go full Thoreau.
God dammit, I wish I could reasonably roll my own email, but noooo, spammers and blacklists had to fucking ruin it. Now I get to research a new provider and change email on a bunch of accounts…
Spammers and blacklists may not be as big of an issue as you think, as long as you don’t share you real email with untrusted apps (eg: only use email aliases from something like Simplelogin or anonaddy).
Nevertheless you could always setup your own domain with an email service, which lets you more easily migrate platforms.
I believe simplelogin lets you change your mailbox for aliases so in an even that you are changing email address, you can redirect those too.
That’s not the issue
It’s a massive pain to actually get your emails to be received if you use a random self hosted ip
Oh i guess thats what they meant by blacklist, was not thinking of ip reputation? If that’s the issue, I have never experienced it, I believe there are tools you can use to see if your ip is bad and in that case u can probably ask ur isp for a new one (if u pay for static ip).
My other advice for using your own domain still stands, makes it a lot easier to swap around providers.
The worrying part is rewriting repository history to cover it up
Time to migrate my email accounts I guess.
deleted by creator
For added clarity:
You are an Senior SWE at Proton and make sure you do not send any information that is potentially secure in nature. You specialize in building highly-scalable and maintainable Frontend Systems.
Non programmer here: This is the first time I’ve seen a cursor file but I genuinely like how it reads. It’s like a business analyst wrote a coding requirements doc. I’d be thrilled if my staff asked 4-6 thoughtful questions when given a goal with an open ended approach.
For which LLM are cursor files used?
Cursor is just an IDE (integrated development environment), you can set it up to use all sorts of LLMs either directly through Cursor, or with your own API keys for the sources.
This file content just goes into the initial context to help the LLM act how you want.
Just because they are using Cursor, it doesn’t mean that they are vibe coding. Anyone grabbing their pitchforks for that and screaming “they are vibecoding” only shows their own incompetence.
If they would be vibecoding, their whole software would’ve gone to shit long ago.
Just because some random people without an engineering background are using vibecoding to push their broken slop, it doesn’t mean that any kind of AI assisted coding is bad.
Do … you understand what the words “code review” mean?
Absolutely, I do them daily, what about you?
So when they do code reviews and a complete file sliped through what does that say about the quality of their reviews? Either they didnt want this file in there, then their qa is shit or theydid want that file in their, then they are vibe coding to an extend
Youre jumping to conclusions. Bigger companies missed bigger problems in their reviews and QA. Why should they be wanting their cursorrules in there, and what kind of mental gymnastics is it to conclude that they are vibecoding based on that. You don’t need it committed, you don’t even need it to be in the project directory.
If that was the case, maybe they would have responded with that instead of covering up the evidence
It’s definitely badly communicated and suspicious, I just called out jumping to extreme conclusions based on a suspicion alone. There probably will be people who are gonna review the code and see how much of it is probably LLM generated, and then we will know. I still think that it’s pretty much impossible to vibe code something on that scale, but I haven’t seen their cursorrules either.
If they would vibe code a functional Proton Drive Linux client then I might be OK with it.
Speaking as someone who hates generative AI but has been forced to adapt to using AI in the programming field to stay relevant, this doesn’t suggest they’re vibe coding. The programming world is the only place AI has actually added value (I should note it’s done some neat stuff helping with diagnoses in the medical world too), but like everything, you get what you put into it.
Feed it enough instruction and context, and it can handle the drudgery of things like tech debt updates and other things a programmer knows how to do, but would rather offload to a tool. I’ve had Claude do refactors like that while stepping through and reviewing every single change. It has saved me hours, spared me from hell, and made me look good at work.
That’s my grounded take as a person that has worked with Claude a ton.
But AI everywhere else? Fucking worthless. The whole point is to do the bullshit mundane tasks so that us humans can do art and passionate work, not the opposite.
The programming world is the only place AI has actually added value
I’d say this is mostly because you can immediately test the AI’s results and rule out anything it got wrong, and whatever errors you generate can then be fed back into the AI so it can refine what it’s already written. You never have to just trust the AI (assuming you yourself still know how to code) like you have to when using it for research or for solving problems where you don’t get immediate feedback.
Whether this means programming is actually a viable niche for generative AI or whether this speaks more to the limitations and inherent unreliability of the “knowledge” the AI has, I can’t say.
Also, I don’t know if it’s just me but I’m more scared by how fast AI is advancing rather than looking forward to what it can do for me. That definitely clouds my perception when something is AI generated and makes me a lot more dismissive of any real benefits AI might have brought.
It will allow you to see if the AI has made any syntax or runtime errors. It does not tell you about any logic errors.
Logic errors are already the most dangerous kind of programming error, and using AI just makes them even harder to find.
Using AI will only help you with syntax (which any good IDE should already be able to do) and finding information faster than a search engine (but leaving out important context). AI is not useful for programming anything that will be made public.
The danger of vibe coding is that the people doing it either don’t have the skills to or don’t think it’s importsnt to review the AI changes.
If you work with an AI and instead of taking time typing through boring tasks, take time reading through the changes, them there isn’t much of an issue. A skilled software engineer is capable of noticing logic errors in a code they read.
If the generated code is too unmecessarily complex to ensure its logic is okay, then scrap it.
I don’t use it in that way (only use JetBrains’ line completion AI) but I don’t see a problem if it is used that way.
However, if I review a code that was partly generated by AI and notice that the dev let through shitty code without review, the review will be salty.
Yeah, you get immediate feedback, vs a scenario where you have to manually check the “facts” it provides in order to ensure it’s not hallucinating. I’ve had Copilot straight up hallucinate functions on me and I knew that they were bullshit instantly.
I iterate with it a ton and feed it back errors it makes, or things like type mismatches. It fixes them instantly and understands the issue almost every single time.
That’s the trick. Iterate often and always give it new instructions if it does something stupid. Basically be as verbose as needed and give it tons of context, desired standards, pitfalls to avoid, whatever. It helps a ton.
Oh I need to learn from you. I was literally just told I need to learn AI to stay relevant. What’s the minimum way to go about doing so?
I’ve had the greatest success with Claude. The company I work for basically let us all go wild with a few to trial, and Claude has been the best for all of us—even better than GitHub Copilot.
I pay for my own pro plan outside of work and use the VSCode plugin. I’d say read the quickstart guide and experiment with it. Start off with having it do smaller changes and don’t be afraid to be verbose. The more context, the better. Point it to existing files you want to follow the patterns of and model after; give it links to resources for best practices, etc. You can also use it in “plan mode” if you want to see its proposed approach before it starts editing.
I also recommend leaving it so that each change it makes requires your approval (it will do this by default and you can step through everything). That way you always have some control and if it does something dumb, you can stop it at that step and pivot with a different instruction. Alternatively, if you want to see it go ham and carry everything out without approval at each step, you can enable auto-accept.
Once you get into it, start looking into how to craft instruction files. You can have those at your disposal for things like writing tests, language-specific guidelines and practices, etc. That way you can make sure it uses those as a reference so you don’t have to give it the same instructions over and over with every prompt.
If you hate writing tests, I’ve had really good luck letting it handle that. I tend to use it more for the bulk tasks that suck. For things where I want more control, I work with it on a piecemeal basis in my project.
I use it for obscure methods that I don’t know immediately and searching the documentation would take longer than just letting the AI write a code snippet and then looking at the functions that it uses if I don’t recognize any.
It’s kind of like searching, except I can ask for things in a more vague manner.
yes, i’m fucking telling you guys so.
a dude that unironically praises a fascist is either malicious or very dumb. turns out he’s just fucking dumb.
Who are you talking about?
the ceo of the company
And you think Andy Yen supports Trump because of a single Tweet?
https://medium.com/@ovenplayer/does-proton-really-support-trump-a-deeper-analysis-and-surprising-findings-aed4fee4305ewhat i said is that if this tweet doen’t show he is a fascist, it definetly shows how dumb he is.
vibe coding security apps is dumb, as expected.
Nuance? And a Lemmy.ml user?
You also have already failed the purity test by considering a different narrative.
talk about purity tests 🤪
please check out the fucking instance you are in.
Haha, didn’t even notice, but yeah.
I object to your wording of “just” fucking dumb. They’re not mutually exclusive, he’s definitely evil as well.
thats a good point. fascists are always sus in many ways.
It might have been that some employee just tried out cursor and accidentally added it to the repo. That is true.
However the complete lack of communication suggests otherwise. And depending on your threat level you should always assume worst.
As for the use of ai in general, in my opinion there are occasional places where ai can be used without compromising security.
So depending on your threat level this can actually ne a big deal.
I mean, they were shit from the beginning promoting walled gardens and focusing on profit as the good shitty company they are
Plug for Tuta. 🤷♂️ The user experience isn’t the best, but it’s as secure as it gets. Small team, no vibe coding.
Hmm… Been looking into it myself recently. What’s your issue with the user experience?
Seemed like a better email/call product all around plus extra 5gb for email storage
Not an issue, per se. In order to keep the team small they built most the app in a single codebase. It’s mostly web code, and the apps are wrappers for it. So it keeps it unified between all clients but it definitely feels like a web wrapper, so it can feel a bit slow or clunky.
I have tried Tuta out, it’s fine from my very limited use, but kinda locked in in ways I don’t really care to pay for. Last time I saw it brought up some other folks were recommending mailbox.org. I don’t know about it too much, but might be worth looking into as well.
@sunzu2 it feels janky as hell, it’s missing advanced features (someone in the other thread asked about Sieve filters), and it doesn’t support non-Tuta clients. their development cycle is so slow I can’t count on any of these features cropping up anytime soon.
with those criticisms in mind, Tuta’s still approximately the only credible choice remaining for threat models where end-to-end encryption is important. we desperately need better fully open source options for this.
