cross-posted from: https://lemmy.dbzer0.com/post/50693956
Transcript
A post by [object Object] (@zzt@mas.to) saying: courtesy of @davidgerard@circumstances.run, Proton is now the only privacy vendor I know of that vibe codes its apps: In the single most damning thing I can say about Proton in 2025, the Proton GitHub repository has a “cursorrules” file. They’re vibe-coding their public systems. Much secure! I am once again begging anyone who will listen to get off of Proton as soon as reasonably possible, and to avoid their new (terrible) apps in any case. https://circumstances.run/@davidgerard/114961415946154957
It has a reply by the author saying: in an unsurprising update for those familiar with how Proton operates, they silently rewrote their monorepo’s history to purge .cursor and hide that they were vibe coding: https://github.com/ProtonMail/WebClients/tree/2a5e2ad4db0c84f39050bf2353c944a96d38e07f
given the utter lack of communication from Proton on this, I can only guess they’ve extracted .cursor into an external repository and continue to use it out of sight of the public
You must log in or # to comment.
I’m not sure why being a “privacy vendor” forbids you from using AI tools in your development process
You are buying a bicycle online.
Both are the same price, but one is handmade by a skilled professional with decades of experience, the other is made by a sketchy machine that even it’s creators don’t really understand… and sometimes uses square wheels instead of round.
Your choice.
I see their repo is open source. Is there any actual evidence that the sketchy machine generated any part of it?
But what does that have to do with consumer privacy?
“consumer privacy” in this case would be your safety while on said bicycle, imo, and square wheels will send you for a tumble.
AI slop comes with security holes (see recent Tea business, and countless other examples). As a user of Proton services, paying actually quite a bit of money annually for that — and being that they talk a really big game about how secure and private they are — I expect their app to be MORE secure than your average mail client, not the same, and not very possibly LESS secure.
deleted by creator
I object to your wording of “just” fucking dumb. They’re not mutually exclusive, he’s definitely evil as well.
deleted by creator
Who are you talking about?
deleted by creator
And you think Andy Yen supports Trump because of a single Tweet?
https://medium.com/@ovenplayer/does-proton-really-support-trump-a-deeper-analysis-and-surprising-findings-aed4fee4305edeleted by creator
Nuance? And a Lemmy.ml user?
You also have already failed the purity test by considering a different narrative.
Haha, didn’t even notice, but yeah.
deleted by creator
The only way to completely avoid things developed by vibe coding will be to stop using computers of any kind. Go full Thoreau.
Time to migrate my email accounts I guess.
what is a cursorfile? I’ve hit things like gpt when devdocs.io isn’t getting me what I want because lots of search engine things like “explain the google maps api” are becoming like searching for a dinner recipe; they contain 300 paragraphs of life story. When I just want to actually RTFM and shit’s hard to find. I don’t copy/paste code into projects just try to find better manuals.
Cursor is a vscode fork with Ai features, cursorrules is a config file for it.
gotcha. thanks!
VS Code also has AI features. Would you be telling people to not use other suites if they were being developed in VS Code? Why should they be forced to use an IDE that explicitly excludes AI?
Is vscode marketed as an ai code editor?
Yes…
Poor choice of words, what’s the appeal of cursor over vscode? the ai features.
Pretty sure they both have the same AI features
TIL: devdocs.io, thx!
Visual Studio and VS Code have an AI assistant as well, yet we don’t decree all programs written with them as ‘vibe coding’. The presence of an AI assistant in the IDE isn’t evidence of vibe coding.
Proton’s repo here is open source. What portion of it presents issues? Any?
VS existed long before the AI features were added.
God dammit, I wish I could reasonably roll my own email, but noooo, spammers and blacklists had to fucking ruin it. Now I get to research a new provider and change email on a bunch of accounts…
Spammers and blacklists may not be as big of an issue as you think, as long as you don’t share you real email with untrusted apps (eg: only use email aliases from something like Simplelogin or anonaddy).
Nevertheless you could always setup your own domain with an email service, which lets you more easily migrate platforms.
I believe simplelogin lets you change your mailbox for aliases so in an even that you are changing email address, you can redirect those too.
That’s not the issue
It’s a massive pain to actually get your emails to be received if you use a random self hosted ip
Google accepts my emails though, they just go to spam, which isn’t a big deal to me
Oh i guess thats what they meant by blacklist, was not thinking of ip reputation? If that’s the issue, I have never experienced it, I believe there are tools you can use to see if your ip is bad and in that case u can probably ask ur isp for a new one (if u pay for static ip).
My other advice for using your own domain still stands, makes it a lot easier to swap around providers.
I can believe that someone at proton vibecodes, and that their files got ob to the tree, but saying that proton as a whole does it is strange.
All the people making excuses for them are basically the same people that made excuses for Meta being on the fedaverse. You people always want to do a wait and see approach, meanwhite these companies run amok. Proton was dead when they started supporting Trump. All you pussies supporting them, keep supporting them. See what you get for it. Just another trash AI company putting out more garbage.
Just because they are using Cursor, it doesn’t mean that they are vibe coding. Anyone grabbing their pitchforks for that and screaming “they are vibecoding” only shows their own incompetence.
If they would be vibecoding, their whole software would’ve gone to shit long ago.
Just because some random people without an engineering background are using vibecoding to push their broken slop, it doesn’t mean that any kind of AI assisted coding is bad.
If that was the case, maybe they would have responded with that instead of covering up the evidence
It’s definitely badly communicated and suspicious, I just called out jumping to extreme conclusions based on a suspicion alone. There probably will be people who are gonna review the code and see how much of it is probably LLM generated, and then we will know. I still think that it’s pretty much impossible to vibe code something on that scale, but I haven’t seen their cursorrules either.
Do … you understand what the words “code review” mean?
Absolutely, I do them daily, what about you?
So when they do code reviews and a complete file sliped through what does that say about the quality of their reviews? Either they didnt want this file in there, then their qa is shit or theydid want that file in their, then they are vibe coding to an extend
Youre jumping to conclusions. Bigger companies missed bigger problems in their reviews and QA. Why should they be wanting their cursorrules in there, and what kind of mental gymnastics is it to conclude that they are vibecoding based on that. You don’t need it committed, you don’t even need it to be in the project directory.
If they would vibe code a functional Proton Drive Linux client then I might be OK with it.
What’s a good alternative VPN provider in EU, not based in Italy? Mullvad is not an option, port forwarding is an absolute requirement.
Also, is there anything out there that ties password/account management and temp emails together as well as proton pass?
Unsure but you could check out bitwarden for your second question
I also use bitwarden (work), and it only does password management. It doesn’t do email and alias generation.
deleted by creator
is eu absolutely required? i like windscribe (paid) but they’re based in canada.
Depends on what you’re doing with it. If it’s just for normal privacy you could just get a vps and install any of the wireguard packages. If you’re using it to evade copyright enforcement (or something similar) I don’t have an answer for that, but a VPN with your name attached is no longer a good idea probably.
Yeah it’s not just for privacy, hence the port forwarding requirement.
AFAIK nothing has shown issues with the privacy of either email or VPN? At least not something that wasn’t caused by blatant idiot user error like the guy with his apple email as recovery email.
You should jump into the other threads about this before you take out your pitchforks. They’re using cursor, it doesn’t prove they are vibe coding. Visual Studio also has AI features, that doesn’t mean you are vibe coding.
See my comment here.
Cursor is literally marketed as “The AI Code Editor”. I am not sure why anyone would use an AI code editor if they aren’t planning on vibe coding.
Proton is, in my opinion, a bad privacy company anyway. Vibe code or not, stop paying them.
Unfortunately so is Visual Studio and VS Code, yet we don’t say anything made with them is ‘vibe coded’. The text, big and bold, right the top of the screen for VS Code is literally:
either use vim or bust :)
Ok, but VS has been around MUCH longer and has been widely used long before any AI features were added. People who have been using VS for years, aren’t likely to just switch, especially in professional environments where VS has largely dominated.
Cursor OTOH, was specifically made to leverage AI. You don’t just start using Cursor.
Depends on leadership. A bunch of slop loving execs think having the newest AI tool will make them be ahead of the curve
Some people like it for the ui and they recently announced the ability to turn off all ai features.
I am not sure why anyone would use an AI code editor if they aren’t planning on vibe coding.
Vibe coding means only looking at the results of running a program generated by an agentic LLM tool, not the program itself - and it often doesn’t work well even with current state-of-the-art models (because once the program no longer fits in the context size of the LLM, the tools often struggle).
But the more common way to use these tools is to solve smaller tasks than building the whole program, and having a human in the loop to review that the code makes sense (and fix any problems with the AI generated code).
I’d say it is probably far more likely they are using it in that more common way.
That said, I certainly agree with you that some of Proton’s practices are not privacy friendly. For example, I know that for their mail product, if you sign up with them, they scan all emails to see if they look like email verification emails, and block your account unless you link it to another non throw-away email. The CEO and company social media accounts also heaped praise on Trump (although they tried to walk that back and say it was a ‘misunderstanding’ later).
The worrying part is rewriting repository history to cover it up
Speaking as someone who hates generative AI but has been forced to adapt to using AI in the programming field to stay relevant, this doesn’t suggest they’re vibe coding. The programming world is the only place AI has actually added value (I should note it’s done some neat stuff helping with diagnoses in the medical world too), but like everything, you get what you put into it.
Feed it enough instruction and context, and it can handle the drudgery of things like tech debt updates and other things a programmer knows how to do, but would rather offload to a tool. I’ve had Claude do refactors like that while stepping through and reviewing every single change. It has saved me hours, spared me from hell, and made me look good at work.
That’s my grounded take as a person that has worked with Claude a ton.
But AI everywhere else? Fucking worthless. The whole point is to do the bullshit mundane tasks so that us humans can do art and passionate work, not the opposite.
The programming world is the only place AI has actually added value
I’d say this is mostly because you can immediately test the AI’s results and rule out anything it got wrong, and whatever errors you generate can then be fed back into the AI so it can refine what it’s already written. You never have to just trust the AI (assuming you yourself still know how to code) like you have to when using it for research or for solving problems where you don’t get immediate feedback.
Whether this means programming is actually a viable niche for generative AI or whether this speaks more to the limitations and inherent unreliability of the “knowledge” the AI has, I can’t say.
Also, I don’t know if it’s just me but I’m more scared by how fast AI is advancing rather than looking forward to what it can do for me. That definitely clouds my perception when something is AI generated and makes me a lot more dismissive of any real benefits AI might have brought.
It will allow you to see if the AI has made any syntax or runtime errors. It does not tell you about any logic errors.
Logic errors are already the most dangerous kind of programming error, and using AI just makes them even harder to find.
Using AI will only help you with syntax (which any good IDE should already be able to do) and finding information faster than a search engine (but leaving out important context). AI is not useful for programming anything that will be made public.
The danger of vibe coding is that the people doing it either don’t have the skills to or don’t think it’s importsnt to review the AI changes.
If you work with an AI and instead of taking time typing through boring tasks, take time reading through the changes, them there isn’t much of an issue. A skilled software engineer is capable of noticing logic errors in a code they read.
If the generated code is too unmecessarily complex to ensure its logic is okay, then scrap it.
I don’t use it in that way (only use JetBrains’ line completion AI) but I don’t see a problem if it is used that way.
However, if I review a code that was partly generated by AI and notice that the dev let through shitty code without review, the review will be salty.
Yeah, you get immediate feedback, vs a scenario where you have to manually check the “facts” it provides in order to ensure it’s not hallucinating. I’ve had Copilot straight up hallucinate functions on me and I knew that they were bullshit instantly.
I iterate with it a ton and feed it back errors it makes, or things like type mismatches. It fixes them instantly and understands the issue almost every single time.
That’s the trick. Iterate often and always give it new instructions if it does something stupid. Basically be as verbose as needed and give it tons of context, desired standards, pitfalls to avoid, whatever. It helps a ton.
Oh I need to learn from you. I was literally just told I need to learn AI to stay relevant. What’s the minimum way to go about doing so?
I’ve had the greatest success with Claude. The company I work for basically let us all go wild with a few to trial, and Claude has been the best for all of us—even better than GitHub Copilot.
I pay for my own pro plan outside of work and use the VSCode plugin. I’d say read the quickstart guide and experiment with it. Start off with having it do smaller changes and don’t be afraid to be verbose. The more context, the better. Point it to existing files you want to follow the patterns of and model after; give it links to resources for best practices, etc. You can also use it in “plan mode” if you want to see its proposed approach before it starts editing.
I also recommend leaving it so that each change it makes requires your approval (it will do this by default and you can step through everything). That way you always have some control and if it does something dumb, you can stop it at that step and pivot with a different instruction. Alternatively, if you want to see it go ham and carry everything out without approval at each step, you can enable auto-accept.
Once you get into it, start looking into how to craft instruction files. You can have those at your disposal for things like writing tests, language-specific guidelines and practices, etc. That way you can make sure it uses those as a reference so you don’t have to give it the same instructions over and over with every prompt.
If you hate writing tests, I’ve had really good luck letting it handle that. I tend to use it more for the bulk tasks that suck. For things where I want more control, I work with it on a piecemeal basis in my project.
I use it for obscure methods that I don’t know immediately and searching the documentation would take longer than just letting the AI write a code snippet and then looking at the functions that it uses if I don’t recognize any.
It’s kind of like searching, except I can ask for things in a more vague manner.
