this post was submitted on 08 Aug 2025
417 points (84.9% liked)

Privacy

3463 readers
176 users here now

Welcome! This is a community for all those who are interested in protecting their privacy.

Rules

PS: Don't be a smartass and try to game the system, we'll know if you're breaking the rules when we see it!

  1. Be civil and no prejudice
  2. Don't promote big-tech software
  3. No apathy and defeatism for privacy (i.e. "They already have my data, why bother?")
  4. No reposting of news that was already posted
  5. No crypto, blockchain, NFTs
  6. No Xitter links (if absolutely necessary, use xcancel)

Related communities:

Some of these are only vaguely related, but great communities.

founded 9 months ago
MODERATORS
fxomt@lemmy.dbzer0.com
otter@lemmy.ca
shaytan@lemmy.dbzer0.com
fxomt@piefed.social
417
Proton is vibe coding some of its apps. (lemmy.dbzer0.com)
submitted 3 days ago* (last edited 3 days ago) by irelephant@lemmy.dbzer0.com to c/privacy@lemmy.dbzer0.com
191 comments fedilink hide all child comments
 

TranscriptA post by [object Object] (@zzt@mas.to) saying: courtesy of @davidgerard@circumstances.run, Proton is now the only privacy vendor I know of that vibe codes its apps: In the single most damning thing I can say about Proton in 2025, the Proton GitHub repository has a “cursorrules” file. They’re vibe-coding their public systems. Much secure! I am once again begging anyone who will listen to get off of Proton as soon as reasonably possible, and to avoid their new (terrible) apps in any case. https://circumstances.run/@davidgerard/114961415946154957

It has a reply by the author saying: in an unsurprising update for those familiar with how Proton operates, they silently rewrote their monorepo’s history to purge .cursor and hide that they were vibe coding: https://github.com/ProtonMail/WebClients/tree/2a5e2ad4db0c84f39050bf2353c944a96d38e07f

given the utter lack of communication from Proton on this, I can only guess they’ve extracted .cursor into an external repository and continue to use it out of sight of the public

top 50 comments
sorted by: hot top controversial new old
[–] KiwiTB@lemmy.world 5 points 1 day ago (1 children)

They provide no evidence of vibe coding at all. Just because someone is using an IDE with AI (which is most now) doesn't prove anything.

[–] mikey@sh.itjust.works 1 points 1 day ago (1 children)

No one is using Cursor for the IDE feel; Cursor is just a VSCode without MS language servers and with extra AI. It's an objectively worse experience to use Cursor over VSCode, except if you vibe code.

[–] KiwiTB@lemmy.world 1 points 1 day ago

That's not exactly proof.

[–] JimVanDeventer@lemmy.world 3 points 1 day ago

If the evil didn’t convince people to abandon Proton, maybe a little bit of AI will. Amazing.

[–] thesmokingman@programming.dev 38 points 2 days ago (1 children)

I’m annoyed because I had to go find a tree that actually had the cursor files. If there’s a smoking gun, you gotta fucking link it when you call someone out.

The irony of Proton attempting to remove it this way is that GitHub trees are permanently available. The only way to remove something once a link has been created is to delete the repo. I’d expect a security-minded company to understand that. To me that’s much more egg-on-face than vibe-coding secure applications. Neither is good; only one very explicitly highlights you don’t know shit about security.

[–] kuberoot@discuss.tchncs.de 14 points 2 days ago (1 children)

AFAIK, unless that tree has signed commits in the history after the commit introducing the cursor files (or it's otherwise verifiable, like having been linked by a member of their team), that's not a smoking gun.

I remember a meme that was shared a while ago, where somebody forked the Linux kernel on GitHub, made a joke commit under Linus's details (which are NOT verified by design), and posted them around. I can't find an instance of that right now, but here's a somewhat similar example, where somebody put a fake backdoor in their fork and changed the url to the original repo, which lets them pretend the commit came from the original repo.

I'd love to see a smoking gun to confirm those claims, but commiting as somebody else, with a fake time, and editing history aren't that difficult - if they could remove the file from history, somebody else could add it to history.

[–] thesmokingman@programming.dev 7 points 2 days ago* (last edited 2 days ago) (2 children)

Absolutely fair! The other commits in that tree for the .cursor folder match existing contributors. This unchanged PR and this unchanged PR both contain the same structure. This tree comes from this unmerged, closed PR which also matches. This closed issue, commented on by maintainers, references this tree which corroborates the other unlinked commit tree. (Edit: I stopped because I got bored; see the other unchanged issues and PRs that show a rewrite of history)

Attribution is never 100% especially when APTs are concerned. I am confident when I say there is way more evidence here showing the files officially exist and were officially part of the tree than many of the very confident yet unconfirmed APT attributions we actively rely on.

load more comments (2 replies)
[–] Eryn6844@beehaw.org 21 points 2 days ago (8 children)

so if nobody likes proton what do you guys do? i am getting tired of the email shuffle.

[–] pheggs@feddit.org 1 points 1 day ago

I self host my mail. There are plenty of people telling you not to do so, but I sincerely have made very good experience with it the last 10 years. The absolute minimum you should do is to have your own domain, otherwise you are in a vendor lockin.

Then, use PGP where possible with an open source mail client such as thunderbird.

[–] Benchamoneh@lemmy.dbzer0.com 16 points 2 days ago (1 children)

I feel like every email post is a "don't use platform x" and there are very few (if any?) universally well received services out there. In which case the community will probably just give up and go back to Google.

We probably need a tier chart or something to add perspective. Proton have made dumb decisions recently but they're still better than Google/Microsoft

[–] zeca@lemmy.ml 7 points 1 day ago (2 children)

I dont hope to find a secure email platform anymore. If i have some info i want to protect i can encrypt it myself before sending, or send it via some secure instant messaging like signal. Email is too hard to make secure, and in he end of the day, the other person youre talking to probably has a gmail or something. Its not worth the hassle imo. There are other ways to have secure communication, outside emails.

[–] Benchamoneh@lemmy.dbzer0.com 2 points 15 hours ago

This is a great point. We spend so much time naval gazing on the best platform for our side, but what about the other side? Might as well use any old service and encrypt your private comms specifically. Yes it's effort to encrypt but I think it's the best compromise of privacy without housing your own mailserver

[–] Swedneck@discuss.tchncs.de 2 points 19 hours ago

it's good to keep secure communications separate anyways, so you don't accidentally send the secret message to the wrong place or without the security measures.

i don't get why people want it in the same place as their fucking gaming chats, imagine sending state secrets to #fursuit-showoff because you didn't notice which specific channel you're in

load more comments (6 replies)
[–] galoisghost@aussie.zone 152 points 2 days ago (26 children)

Um, it’s a public repository. You can view the code that’s been added. Even if it IS AI generated, you can review it yourself.

I’m as anti-AI as anyone but this is misplaced AI-alarmism.

[–] oatscoop@midwest.social 33 points 2 days ago* (last edited 2 days ago) (5 children)

can review it yourself.

You're a supervisor and you have 2 employees: Bill and Jim. As a supervisor your job is to ensure the work is being done correctly.

Bill is competent and rarely makes major mistakes. Jim does a decent job most of the time ... but he's also a savant at screwing up -- he regularly fucks up in ways that aren't immediately obvious but are guaranteed to cause serious problems days to weeks from the screw up.

You can glance over Bill's work and be fairly certain it's fine. You need to go over every single piece Jim's work to check for problems, and even then some are probably going to slip through.

AI is currently Jim, and Jim has no business writing code for anything privacy or security focused.

load more comments (5 replies)
[–] homesweethomeMrL@lemmy.world 84 points 2 days ago (17 children)

Does anyone here actually review code?

[–] CrazyHorse@lemmy.cafe 237 points 2 days ago (2 children)

Only my own code and so far most of it has been unacceptable.

[–] Swedneck@discuss.tchncs.de 2 points 19 hours ago

i once wrote a script to launch a program with specific flags that i think was mostly correct, it holds center place on my CV

load more comments (1 replies)
load more comments (16 replies)
load more comments (24 replies)
[–] panda_abyss@lemmy.ca 99 points 2 days ago (10 children)

I’d bet they just added it to their global .gitignore where it should be, then removed it because they didn’t want their private dot files committed to a public repo.

I don’t think this user knows much about git works. I don’t think this is nefarious or “vibe coding” as it’s colloquially known to be. It’s a bit much to describe all LLM use blindly as vibe coding, when vibe coding usually means just blanket accepting AI content.

load more comments (10 replies)
[–] daniskarma@lemmy.dbzer0.com 47 points 2 days ago (11 children)

Do you understand the difference between using AI assistance for coding and vibe code?

[–] nomadpxl@programming.dev 9 points 2 days ago (1 children)

Yeah using cursor or any AI assistance != vibe coding. I’m just confused why they acted guilty and edited their history without saying anything

load more comments (1 replies)
load more comments (10 replies)
[–] Geometrinen_Gepardi@sopuli.xyz 62 points 3 days ago (18 children)

How is this proof of vibecoding?

load more comments (18 replies)
load more comments
view more: next ›