- cross-posted to:
- fuck_ai@lemmy.world
- privacy@programming.dev
- cross-posted to:
- fuck_ai@lemmy.world
- privacy@programming.dev
Transcript
A post by [object Object] (@zzt@mas.to) saying: courtesy of @davidgerard@circumstances.run, Proton is now the only privacy vendor I know of that vibe codes its apps: In the single most damning thing I can say about Proton in 2025, the Proton GitHub repository has a “cursorrules” file. They’re vibe-coding their public systems. Much secure! I am once again begging anyone who will listen to get off of Proton as soon as reasonably possible, and to avoid their new (terrible) apps in any case. https://circumstances.run/@davidgerard/114961415946154957
It has a reply by the author saying: in an unsurprising update for those familiar with how Proton operates, they silently rewrote their monorepo’s history to purge .cursor and hide that they were vibe coding: https://github.com/ProtonMail/WebClients/tree/2a5e2ad4db0c84f39050bf2353c944a96d38e07f
given the utter lack of communication from Proton on this, I can only guess they’ve extracted .cursor into an external repository and continue to use it out of sight of the public
You must log in or register to comment.
Its like complaining an accountant uses a calculator
A calculator produces reproducible results and does not introduce security flaws into your code that you don’t care to look for
Then do care to look for? There are PRs, there is a dev that approves changes. It’s stupid to resist agentic AIs when they boost productivity by a lot.
Citation that isn’t anecdotes please, only actual study I’ve seen into this was a ~19% drop and even that was flimsy.
19% drop in what?
Uh, idk how they got that number. It goes against the observations of literally everyone in the industry, so maybe it’s not the industry that is biased, but the benchmark they did is incorrect?
Like just several sprints before I’ve saved my team by generating proto contracts taking backend repo as a context, as backend was busy with other higher important things to unblock us. No AI here means we would be blocked full stop for the entire sprint. And when backend did generate the contract, it was almost identical, and the diff in contracts allowed to identify the issue in the entities they send.
True, some tasks can be done faster without AI, because you have the context and the amount of code volume is actually fairly low.
But
while the “high developer familiarity with [the] repositories” aided their very human coding efficiency in these tasks.
My brother in Christ, in big enterprise project chances that you have some familiarity with the code, well, they are non-zero, but also not that high.
Uh, idk how they got that number. It goes against the observations of literally everyone in the industry,
Scientific study vs anecdotal data, that’s what studies are supposed to be, the formalisation and distillation of data into conclusions based on said data.
so maybe it’s not the industry that is biased, but the benchmark they did is incorrect?
Possibly, do you know how that’s normally tested ?
Like just several sprints before I’ve saved my team by generating proto contracts taking backend repo as a context, as backend was busy with other higher important things to unblock us. No AI here means we would be blocked full stop for the entire sprint. And when backend did generate the contract, it was almost identical, and the diff in contracts allowed to identify the issue in the entities they send.
Anecdote, from a single person.
I don’t doubt that that is your experience, but it’s just that, your experience.
and before you bring out the “but everyone i know all says the same”, that’s still anecdotal, it’s what anecdotal means.
My brother in Christ, in big enterprise project chances that you have some familiarity with the code, well, they are non-zero, but also not that high.
I mean, sure ? i’m not sure how that is relevant though.
As i said, the one study i’ve seen is somewhat flimsy…
Do you have literally any other study to backup any claims to the contrary?
My original comment was in response to :
It’s stupid to resist agentic AIs when they boost productivity by a lot.
That might be true, but for it to be applicable the productivity boost needs to be real, and for public claims to be taken seriously, provably real.
That you, personally, think you are seeing this is great, works for you.
deleted by creator
Do you understand the difference between using AI assistance for coding and vibe code?
That’s literally the definition of “vibe coding”…
Removed by mod
Way to tell on yourself by replying in completely the wrong thread.
No the “definition” (loose term because it’s based on one guys tweet hat invented the word) of vibe coding is to don’t read the code, accept any changes and code purely of vibes.
Oh that’s what it means? Ok I think we’re all confused because it’s literally just from one tweet! I need to look this up.
Wait, there is a full Wikipedia article that I knew I looked at recently: https://en.wikipedia.org/wiki/Vibe_coding
This is entirely wrong?
Not entirely, but the crux is here
“Karpathy described it as “fully giving in to the vibes, embracing exponentials, and forgetting that the code even exists.””
I only read the intro and definition sections, but the article lines up exactly with what Evotech said.
From the article you cited. Did you read it?
Unlike traditional AI-assisted coding or pair programming, the human developer avoids micromanaging the code, accepts AI-suggested completions liberally, and focuses more on iterative experimentation than code correctness or structure. Karpathy described it as “fully giving in to the vibes, embracing exponentials, and forgetting that the code even exists.”
It’s not.
make a directory, init a git repo, start claude code in that directory, feed it a prompt (a good vibe coder will utilize another LLM to write them the prompt), then hit shift+tab a couple times, got watch youtube.
that’s vibe coding.
Yeah using cursor or any AI assistance != vibe coding. I’m just confused why they acted guilty and edited their history without saying anything
Maybe they did the git stuff for some other reason. I mean the files are still there 🤷🏼♀️
I’m a bit tired of the Proton employee bumped into a tourist and didn’timmediately say sorry sort or posts about proton.
I can’t wait until you guys get real jobs and then realize that every company that is serious about software development heavily pushes for AI tools such as CLINE or Cursor. I use it at work but I wouldn’t say I am vibe coding (mainly because it sucks ass). the reason they deleted the file from the repo is unlikely because they don’t want people to know they use AI, it’s more likely because AI rules files can contain info that you don’t want to be made public
If you’re serious about software you push design patterns and code reviews, if you’re serious about grifting investors you push LLM nonsense.
I fail to see how those two options are mutually exclusive???
You only start a project/feature once (hopefully), you either do so from sound basic principals or prompting. You don’t get to have multiple first priorities.
once again, you think it’s an all or nothing scenario, you can use an LLM while also doing code review and basic principles. You are the one telling the AI what to do, it will execute your instructions as you told it to, to the best of today’s LLM’s capabilities
All large corpos are pushing this on all of their paper pushers… That’s why this AI is called LLM
It is a tool… It is as good as the person using it
It is a tool… It is as good as the person using it
Yea, and people are still mad about it and somehow believe people just copy paste everything without checking
To be fair, fake news got them work up about how it will take ur jerb…
Anyone one with any w2 slavery experience will quickly asses that ain’t true…
But they miss the part where it is a tool and it scale with your skill level. Anyone using to try to get the right answer will fail.
Smart user will uses in the work flow where it helps and just keep doing their job otherwise
It will put pressure on entry level. But it ain’t replacing mid level cogs that actually do all the work
mainly because it sucks ass
So many people ignore this and repeat the Big tech PR talking points about AI. I had a colleague enthuse about AI agents, then demonstrate it and say “well it’s currently a little bit shit”
The fuck people! Wake up!
How far have the mighty fallen.
Thinking of moving my main e-mail address to tuta. Alas, haven’t been able to find a good provider that uses tried-and-true protocols like IMAP.
I would very much consider doing some actual research on tuta. Last I checked, they put a LOT of effort into preventing you from controlling your own inbox (Proton have their god awful sync program but it works). And their support forums were basically nothing but constant complaints of downtimes and outages.
My current approach, that I am slowly migrating everything toward (from gmail), is my own domain that I own and addresses at that. I then use (paid) services to manage the email server and just change my DNS settings so that said emails get routed to the right service. I keep a local copy of all my emails on my desktop (working on a solution to my NAS). So if the company goes to shit? I can migrate my entire existence to a new one within 24 hours (usually less because Cloudflare is really good…).
Currently I use Proton (and hate their sync program). I’ve seen a LOT of good word on Fastmail and like that they don’t have any special sync program at all. Main issue is that Proton still have the best VPN for torrenting (linux ISOs only, obviously) and I need to math out what it would cost to switch to just ProtonVPN and then Fastmail. But (Not That) Will Smith wrote up a really good blog post a few months back where he went into why he likes Fastmail and he (and Brad Shoemaker) tend to be my kind of “Yes, I am making my life harder but for a reason maybe”.
not email but are there any good alternatives for cloud storage? i backup some of my passwords and pictures to my proton drive manually
Its not cheap to start with, but the best thing you can do is just go buy a 2 or 4 bay synology (I hear ugreen is also good. Fuck qnap) and set up a local home NAS. The vast majority of people will never need more than that and you can back up all your photos and documents in a form factor you can grab when evacuating a burning building.
For essential stuff where you do want/need an off site backup? All of these cloud services are backed up by Amazon et al storage. Do a bit of research (there are plenty of pre-rolled solutions but people get pissy and annoying) and figure out how to encrypt the important docs and push them to cheap storage. Not free but you are literally paying pennies on the dollar compared to any other paid back-up service and… if the storage is free then you are the product.
Or, if you really don’t care: Learn to encrypt your sensitive important data and put it in a google drive.
would hndl be a concern?
That is up to you how much you care and what encryption schemes you use (which I intentionally will not make a recommendation on). Best practices is to maintain your own off site backups but… good luck.
That said? If we reach the point that the “good” encryptions are trivially decryptable then the entire modern world is already collapsing as e’rybody goes after the banks and governments. Otherwise? That is going to cost significant compute resources. How important do you think you are that someone is going to track a random bucket to you and then focus on decrypting those tax documents?
Love mailbox.org, got the lite plan for €12 per year and works like a charm. Can use the secure mail address or the reg and just paste your public key into to use with Thunderbird.
I’ll be considering it, but if I have to deal with paid services in this good year of Arceus of 2025 I’d prefer them to at least deal with my national currency directly, or fall within my country’s jurisdiction.
I’ve made an exception for SDF simply because 1.- they’re awesome and 2.- the payment is one-time-only.
Posteo?
Looks paid, I prefer to discard any possible solutions on my country’s currency before I even take a look at having to deal with international KYC shit.
Disroot is in my 👀 now because you guys reminded me it was already, some time ago. Let’s see how that one goes!
Hold your horses buddy it ain’t that bad, but if you want an alternative, Try Disroot
Tried that once, long ago, but I honestly don’t remember why I couldn’t complete the signup. Maybe an essay, or an issue with e-mail verification.
Might have to take a look at it again!
They provide no evidence of vibe coding at all. Just because someone is using an IDE with AI (which is most now) doesn’t prove anything.
No one is using Cursor for the IDE feel; Cursor is just a VSCode without MS language servers and with extra AI. It’s an objectively worse experience to use Cursor over VSCode, except if you vibe code.
That’s not exactly proof.
ok and? No other service offers as complete a package as Proton
This is the argument people use when discussing Microsoft products
Is M$ stuff provably e2ee? Is Proton a publicly traded company? Does M$ have even close as good a track record as Proton? Are most M$ clients OSS?
Edit: Proton isn’t perfect, not by a long stretch. I’m not stanning them either way, but being alarmist and giving in to mob mentality is counterproductive.
For me they just offer the right balance of being partially OSS, strong privacy and strong security that I can pragmatically “overlook” things even as a leftist and free/libre “hardliner” (as I already mentioned: the pragmatic kind. I don’t see a point in using Linux-Libre and am ok with proprietary blobs or “tainted” packages for codecs necessary for piracy if there is no alternative and if they don’t cause active harm (as in “phoning home” or shit like that. Linux-libre is a detriment to your security BTW)
Oh lookie here we got another Proton payer slash sucker who likes to rationalize giving money to corporations because “privacy”.
I don’t mean to sound alarmist, but you seem really naive while trying to lick Proton’s boots.
Yeah, I’m hypocritical with proton, I use it myself, but I think people should just pay a bit more attention to what they’re doing.
I use it with the full knowledge that they will start to track me and share my IP with Europol if they come with a warrant. (They are unable to comply with anything further, thanks to their e2e architecture)
It is part of my threat model and I use it solely for private stuff.
I couldn’t care less that the CEO had one slipup praising a Republican with a seemingly good track record (although I did not investigate that matter)
And being a Luddite about AI is really counterproductive, it has arrived in our society and if correctly utilised will be just another tool used to automate or autocomplete etc.
Basically what your IDE already does but on steroids
(Disclaimer: it’s Friday and I’m tired so there is a real – if small – chance I’m being a contrarian armed with superficial knowledge. I can’t rly tell myself 🙃)
I don’t think using proton is a personal moral failure, I just think these things are worth discussing.
I totally agree, but think that the toot you shared is a bit alarmist
Using a corporation to provide “privacy” is most certainly a logical and moral failing.
They are unable to comply with anything further, thanks to their e2e architecture
How do you know some crappy generated code isn’t doing some kind of stupid logging?
TBH this isn’t a great argument for open source code. You know it’s not doing something stupid in the exact same way you know a human written application isn’t doing something stupid.
1- You review it yourself to double check OR
2- You hope that the community is reviewing it and that you would be made aware of problems OR
3- You just don’t know.
Because I know how software development works IRL LOL
I don’t really care
ok.
Valid answer!
What question do you think you asked?
There never was a question
Kind of the point I was making…
Can answers only be given for questions, or can they also mean ”reaction"?
Sure. It’ll still never earn respect.
Yes.
They’re cooked
Because 1 coder used Cursor and a bunch of people on Mastadon immediately went to grab the pitchforks because reasons?
How much you want to bet not a single person having a huff about this pays a cent to Proton for anything, and likely doesn’t even use them?
I’d bet they just added it to their global .gitignore where it should be, then removed it because they didn’t want their private dot files committed to a public repo.
I don’t think this user knows much about git works. I don’t think this is nefarious or “vibe coding” as it’s colloquially known to be. It’s a bit much to describe all LLM use blindly as vibe coding, when vibe coding usually means just blanket accepting AI content.
I don’t think the concern is as much with the purity of their vibe coding, but rather that they’re using an AI-first editor. This will almost certainly mean everything they’re coding is being shared with AI provider(s) during the process, which some would view as at odds with Proton’s stated emphasis on privacy.
Privacy for a codebase is not the same as privacy for me. Security through obscurity would be more at odds with privacy for the end user.
But isn’t this a public repo?
Is the privacy of their code that much of an issue in this case given its a public repo? Its going to get scraped by the bots regardless.
Yeah, this logic would encompass all open source projects. Hell, my comment right now will be read by an AI. Why? I’m posting it in a public place.
Because every interaction with the monster is an influence on its next iteration.
The committed code in the repo will get scraped anyway, but the data used in testing is a different story. Not that anyone’s ever tested with prod data.
I don’t think the issue is a practical one though. It’s more the company that stands on promises of privacy using tools that are overtly share-happy that seems to be a ideological discrepancy.
But in case my initial comment’s “I don’ think…” wasn’t clear enough, this was my attempt at understanding why this might be a concern (or at least of interest) to folks in this community, not a personal statement of condemnation or anything. I personally could not give less of a shit what code editor they use.
Are we really shitting on companies because they have a config file for the wrong editor? Sorry, a config file for the wrong editor (excluding emacs because be as prejudiced as possible against those folk)?
Do I like “AI First” editors? Hell no. But VSCode is rapidly making that pivot and I don’t know the lineage of Cursor well enough to know if it also used to be “just any other editor”. And, from a quick google, it supports local LLMs (e.g. ollama), so the “Big AI is going to have all your code” problem is mitigated…
Also, the repo is on Github. Big AI (Microsoft) already HAS all their code. And before we have “Well you should selfhost a gitea!”: If your website is public facing, it has been scraped by “AI”. And if your open source project is hidden behind ten paywalls? I am not gonna finish that joke because people get really pedantic and pissy when you try to define “Open Source”.
At the end of the day: At a project level? If active code review by qualified developers is going on, I really don’t care how the code was written. I DO care about those individual developers and their abilities as they continue to use “AI” based tools but… that is a different discussion.
I WOULD be interested in a link to the actual offending file. I’ve been part of enough projects where it was easier to just have dotfiles for every major editor because you have a wide range of contributors and no true scotsman doesn’t have one of the local vimrc style plugins running. Whereas if it is massive instructions on how to generate code, I would get a lot more worried.
But an unsourced screenshot of a discussion thread ain’t it.
I wasn’t shitting on anybody. You’re ranting is misdirected.
Pretty on point, the .gitignore in the repo has a CLAUDE.md
https://github.com/ProtonMail/WebClients/blob/main/.gitignore
And still no drive client for Linux…Fuck those guys :)
Rclone foo!
Their Linux VPN client might as well not exist. No kill switch and it randomly disconnects/crashes. Sometimes it completely borks networking necessitating a reboot, which I guess can be better than just leaking your IP?
Isolating the VPN into docker + gluetun should (should) solve that particular issue.
I’ve never heard of this before! I read this a bit: https://pimylifeup.com/docker-gluetun/
What is the benefit here? I have no experience with containers, so I’m not really sure what I’m encapsulating there.
A container runs the utility in an isolated environment without having to alter your base system’s packages, dependencies, etc. Assuming the bork that necessitates a reboot is not a kernel or hardware issue, this would mean that if you get hit with that issue again in a container, what dies is the container itself, rather than your system as a whole. So you’re isolating 1.- package management 2.- network config and (potentially) 3.- “blast radius”.
(That said, this is the first time I’ve ever heard that Proton would bork the networking to the point of requiring a whole system reboot.)
Thanks for explaining!
Don’t thank me yet, as I said, this is the first time I’ve ever heard of this kind of bork, so I’m hoping this would fix / sidestep it! :p
I was thanking you for the explanation. I need to spend some time playing with containers and understanding how to manage applications that way.
tf you mean? kill switch does work, doesn’t randomly disconnect and it doesn’t really bork it for me. skill issue? guess my distro based on my pfp
How is this proof of vibecoding?
Cursor is an “ai powered” code editor, cursorrules is a file it uses for configuration.
Unfortunately, so is Visual Studio and VS Code.
The presence of an AI assistant isn’t evidence of vibe coding. Even using that AI assistant to auto-complete lines or small sections of boilerplate isn’t vibe coding. To do that you need to ask the AI for whole swaths of code and then just accept what it gives you.
Proton’s repo here is open source. What portion of it presents issues? Any?
Sure, but cursor is different since it’s marketed as an Ai editor. VScode is just a general one.
Proton’s repo here is open source. What portion of it presents issues? Any?
Ai code is plausible bullshit, it may work, it may have bugs or vulnerabilities. It’s harder to spot these since its plausible bullshit.
This really depends on what their code review process looks like. When I review code, I honestly don’t care how it was generated, I look at the requirements and the code, and determine whether the code meets the requirements. How the code was generated doesn’t impact that at all.
Dude, you’re flaming a company because one of the tools they use is marketed as using AI? You gotta be kidding me. If your bar for privacy requires you to dive down this deep into a company’s asshole, you might as well just become Amish
Poor choice of words on my part, The only appeal of cursor over vscode is the ai features.
Your opinion is based on your ideology of what’s wrong and good, but it is not factual
this is, after all, why we review and trst code.
but cursor is different since it’s marketed as an Ai editor. VScode is just a general one.
See, that is just the thing: VS Code is marketed as an AI editor. The homepage is literally an autoplaying video of an AI writing code with this title, big and bold, right at the top of the screen:
Poor choice of words on my part, The only appeal of cursor over vscode is the ai features.
Why would you use Cursor instead of VS (the standard for decades) if you’re not going to use the AI features Cursor was specifically created for?
It doesn’t matter Proton is the whipping boy of the fediverse
If you were smart enough to look for an answer to the actual question being asked instead of assuming it’s a rhetorical that agrees with your bias you’d have learned something today.
I wish it was
Cursor is an AI-powered code editor that understands your codebase and helps you code faster through natural language. Just describe what you want to build or change and Cursor will generate the code for you.
Using cursor doesn’t mean you’re vibe coding.
I use ai all day at work for development, none of it is vibe coding.
Yeah there’s a big difference in code quality between using cursor as an aid to write code and vibe coding which would be asking it to write and debug large swathes of code with little human input. AI is very good at correctly writing a couple lines at a time. It quickly loses the plot when trying to write hundreds of lines or more and the human user has no idea what it’s doing anymore.
Sure, but even VS code has been pushing Copilot pretty hard and from the screenshots the setups look fairly similar. It’s a recently released code editor with their own personal AI built in vs. VS Code which has the AI as an extension (or built in, I don’t know what the default install is like these days).
If they’re using it to auto complete lines of code or fill out boilerplate then I don’t see the problem. If they’re typing “make me a password manager” into the prompt window, hitting enter, and accepting it blindly, that’s a problem. Also the code is (at least in this case) open source, so there should be better evidence of bad vibe coded code than the presence of a config file
I think there are better things to criticise Proton for, and unless there is more to the vibe coding than using the Cursor, citing this as a reason will get those other criticisms ignored in the noise.
This guy seems somewhat biased against this Proton feller
If the evil didn’t convince people to abandon Proton, maybe a little bit of AI will. Amazing.
so if nobody likes proton what do you guys do? i am getting tired of the email shuffle.
I’ve been using Posteo for years and don’t have any complaints.
How is the initial storage limit?
I’m not sure what the options all are, but it looks like I have 2 gigs at $1 per month.
I use GPG in Thunderbird with ForwardEmail (because I use a custom domain)
I feel like every email post is a “don’t use platform x” and there are very few (if any?) universally well received services out there. In which case the community will probably just give up and go back to Google.
We probably need a tier chart or something to add perspective. Proton have made dumb decisions recently but they’re still better than Google/Microsoft
I dont hope to find a secure email platform anymore. If i have some info i want to protect i can encrypt it myself before sending, or send it via some secure instant messaging like signal. Email is too hard to make secure, and in he end of the day, the other person youre talking to probably has a gmail or something. Its not worth the hassle imo. There are other ways to have secure communication, outside emails.
This is a great point. We spend so much time naval gazing on the best platform for our side, but what about the other side? Might as well use any old service and encrypt your private comms specifically. Yes it’s effort to encrypt but I think it’s the best compromise of privacy without housing your own mailserver
it’s good to keep secure communications separate anyways, so you don’t accidentally send the secret message to the wrong place or without the security measures.
i don’t get why people want it in the same place as their fucking gaming chats, imagine sending state secrets to #fursuit-showoff because you didn’t notice which specific channel you’re in
self host. you can get great deals on domains and have whatever you want. Hell in many cases you can get free domains with hosting. my domain is a .ca (i’m Canadian) and I got it free for 2 years with a hosting plan that costs me $50 a year. So I’m already saving over Proton, It’s local to me, and I can have unlimited accounts and bandwidth. I also use it to host my portfolio site.
Then I also have my own home server which I use for VPN, Backups, Bitwarden, Git Repos, torrents/media, even have my own searx search engine on it.
I host other stuff, but isn’t email a pain to get working and not marked as spam?
I haven’t had any issues with it being marked as spam as of yet.
I’m definitely vibe coding all my stuff, why wouldn’t I? I’m still responsible for what I commit to main but it’s so much faster to get shit done like this
If you don’t break the project style, other code, and you actually test and review what you write, then yea
Yeah that’s the idea. seems like many people are thinking that either you don’t do code reviews at all or you’re writing every line of code yourself even if AI could have done a lot of grunt work.
