495
Proton is vibe coding some of its apps. (lemmy.dbzer0.com)
submitted 1 month ago* (last edited 1 month ago) by irelephant@lemmy.dbzer0.com to c/privacy@lemmy.dbzer0.com
140 comments fedilink hide all child comments

TranscriptA post by [object Object] (@zzt@mas.to) saying: courtesy of @davidgerard@circumstances.run, Proton is now the only privacy vendor I know of that vibe codes its apps: In the single most damning thing I can say about Proton in 2025, the Proton GitHub repository has a “cursorrules” file. They’re vibe-coding their public systems. Much secure! I am once again begging anyone who will listen to get off of Proton as soon as reasonably possible, and to avoid their new (terrible) apps in any case. https://circumstances.run/@davidgerard/114961415946154957

It has a reply by the author saying: in an unsurprising update for those familiar with how Proton operates, they silently rewrote their monorepo’s history to purge .cursor and hide that they were vibe coding: https://github.com/ProtonMail/WebClients/tree/2a5e2ad4db0c84f39050bf2353c944a96d38e07f

given the utter lack of communication from Proton on this, I can only guess they’ve extracted .cursor into an external repository and continue to use it out of sight of the public

top 50 comments
sorted by: hot top controversial new old
[-] galoisghost@aussie.zone 192 points 1 month ago

Um, it’s a public repository. You can view the code that’s been added. Even if it IS AI generated, you can review it yourself.

I’m as anti-AI as anyone but this is misplaced AI-alarmism.

[-] homesweethomeMrL@lemmy.world 88 points 1 month ago

Does anyone here actually review code?

[-] CrazyHorse@lemmy.cafe 236 points 1 month ago

Only my own code and so far most of it has been unacceptable.

[-] HakunaHafada@lemmy.dbzer0.com 43 points 1 month ago

Pure, unabashed honesty. I love it. 🫶

load more comments (1 replies)
[-] hansolo@lemmy.today 16 points 1 month ago

Does anyone here realize that one person using Cursor doesnt mean "tHeY'rE vIbE cOdInG aCrOsS tHe wHoLe pLaCe!"

[-] ayyy@sh.itjust.works 21 points 1 month ago* (last edited 1 month ago)

Then why didn’t they just say that instead of being shady and rewriting history?

load more comments (6 replies)
[-] GissaMittJobb@lemmy.ml 14 points 1 month ago

Yes, and it's one of the most important things I do. Given the AI codegen boom we're seeing, it's also the skill I have that is increasing the fastest in value.

load more comments (2 replies)
[-] pennomi@lemmy.world 13 points 1 month ago

Uh yeah? You’d be stupid not to review code, whether written by an AI or a human. I don’t trust either.

[-] MalReynolds@slrpnk.net 29 points 1 month ago

I'm guessing OP means code you use rather than code you write, in other words auditing. Likely very few of us do that with any thoroughness. IIRC proton does have some independent auditing.

load more comments (3 replies)
[-] oatscoop@midwest.social 35 points 1 month ago* (last edited 1 month ago)

can review it yourself.

You're a supervisor and you have 2 employees: Bill and Jim. As a supervisor your job is to ensure the work is being done correctly.

Bill is competent and rarely makes major mistakes. Jim does a decent job most of the time ... but he's also a savant at screwing up -- he regularly fucks up in ways that aren't immediately obvious but are guaranteed to cause serious problems days to weeks from the screw up.

You can glance over Bill's work and be fairly certain it's fine. You need to go over every single piece Jim's work to check for problems, and even then some are probably going to slip through.

AI is currently Jim, and Jim has no business writing code for anything privacy or security focused.

load more comments (5 replies)
[-] Kirk@startrek.website 29 points 1 month ago

Probably anti-Proton. I'm no conspiracy theorist, but the amount of pro BlueSky, anti Proton, anti Signal people I see on Lemmy make me wonder sometimes.

load more comments (2 replies)
[-] expr@programming.dev 20 points 1 month ago

That is pretty immaterial to the issue. The issue is that when it comes to security, it's extremely poor form to rely on unintelligent mimicry.

[-] panda_abyss@lemmy.ca 106 points 1 month ago

I’d bet they just added it to their global .gitignore where it should be, then removed it because they didn’t want their private dot files committed to a public repo.

I don’t think this user knows much about git works. I don’t think this is nefarious or “vibe coding” as it’s colloquially known to be. It’s a bit much to describe all LLM use blindly as vibe coding, when vibe coding usually means just blanket accepting AI content.

[-] taco@piefed.social 22 points 1 month ago

I don't think the concern is as much with the purity of their vibe coding, but rather that they're using an AI-first editor. This will almost certainly mean everything they're coding is being shared with AI provider(s) during the process, which some would view as at odds with Proton's stated emphasis on privacy.

[-] Egonallanon@feddit.uk 52 points 1 month ago* (last edited 1 month ago)

Is the privacy of their code that much of an issue in this case given its a public repo? Its going to get scraped by the bots regardless.

load more comments (1 replies)
[-] panda_abyss@lemmy.ca 11 points 1 month ago

But isn’t this a public repo?

[-] NuXCOM_90Percent@lemmy.zip 11 points 1 month ago* (last edited 1 month ago)

Are we really shitting on companies because they have a config file for the wrong editor? Sorry, a config file for the wrong editor (excluding emacs because be as prejudiced as possible against those folk)?

Do I like "AI First" editors? Hell no. But VSCode is rapidly making that pivot and I don't know the lineage of Cursor well enough to know if it also used to be "just any other editor". And, from a quick google, it supports local LLMs (e.g. ollama), so the "Big AI is going to have all your code" problem is mitigated...

Also, the repo is on Github. Big AI (Microsoft) already HAS all their code. And before we have "Well you should selfhost a gitea!": If your website is public facing, it has been scraped by "AI". And if your open source project is hidden behind ten paywalls? I am not gonna finish that joke because people get really pedantic and pissy when you try to define "Open Source".

At the end of the day: At a project level? If active code review by qualified developers is going on, I really don't care how the code was written. I DO care about those individual developers and their abilities as they continue to use "AI" based tools but... that is a different discussion.

I WOULD be interested in a link to the actual offending file. I've been part of enough projects where it was easier to just have dotfiles for every major editor because you have a wide range of contributors and no true scotsman doesn't have one of the local vimrc style plugins running. Whereas if it is massive instructions on how to generate code, I would get a lot more worried.

But an unsourced screenshot of a discussion thread ain't it.

load more comments (1 replies)
load more comments (1 replies)
load more comments (1 replies)
[-] daniskarma@lemmy.dbzer0.com 57 points 1 month ago

Do you understand the difference between using AI assistance for coding and vibe code?

[-] ayyy@sh.itjust.works 14 points 1 month ago

That’s literally the definition of “vibe coding”…

load more comments (9 replies)
[-] nomadpxl@programming.dev 9 points 1 month ago

Yeah using cursor or any AI assistance != vibe coding. I’m just confused why they acted guilty and edited their history without saying anything

load more comments (1 replies)
[-] hanrahan@slrpnk.net 38 points 1 month ago

And still no drive client for Linux..Fuck those guys :)

[-] Taldan@lemmy.world 13 points 1 month ago

Their Linux VPN client might as well not exist. No kill switch and it randomly disconnects/crashes. Sometimes it completely borks networking necessitating a reboot, which I guess can be better than just leaking your IP?

load more comments (8 replies)
load more comments (1 replies)
[-] thesmokingman@programming.dev 36 points 1 month ago

I’m annoyed because I had to go find a tree that actually had the cursor files. If there’s a smoking gun, you gotta fucking link it when you call someone out.

The irony of Proton attempting to remove it this way is that GitHub trees are permanently available. The only way to remove something once a link has been created is to delete the repo. I’d expect a security-minded company to understand that. To me that’s much more egg-on-face than vibe-coding secure applications. Neither is good; only one very explicitly highlights you don’t know shit about security.

[-] kuberoot@discuss.tchncs.de 15 points 1 month ago

AFAIK, unless that tree has signed commits in the history after the commit introducing the cursor files (or it's otherwise verifiable, like having been linked by a member of their team), that's not a smoking gun.

I remember a meme that was shared a while ago, where somebody forked the Linux kernel on GitHub, made a joke commit under Linus's details (which are NOT verified by design), and posted them around. I can't find an instance of that right now, but here's a somewhat similar example, where somebody put a fake backdoor in their fork and changed the url to the original repo, which lets them pretend the commit came from the original repo.

I'd love to see a smoking gun to confirm those claims, but commiting as somebody else, with a fake time, and editing history aren't that difficult - if they could remove the file from history, somebody else could add it to history.

load more comments (3 replies)
[-] lambalicious@lemmy.sdf.org 26 points 1 month ago

How far have the mighty fallen.

Thinking of moving my main e-mail address to tuta. Alas, haven't been able to find a good provider that uses tried-and-true protocols like IMAP.

[-] Quill7513@slrpnk.net 17 points 1 month ago
  • posteo.net
  • mailbox.org
  • disroot.org
load more comments (1 replies)
[-] biotin7@sopuli.xyz 11 points 1 month ago* (last edited 1 month ago)

Hold your horses buddy it ain't that bad, but if you want an alternative, Try Disroot

load more comments (1 replies)
[-] NuXCOM_90Percent@lemmy.zip 10 points 1 month ago

I would very much consider doing some actual research on tuta. Last I checked, they put a LOT of effort into preventing you from controlling your own inbox (Proton have their god awful sync program but it works). And their support forums were basically nothing but constant complaints of downtimes and outages.

My current approach, that I am slowly migrating everything toward (from gmail), is my own domain that I own and addresses at that. I then use (paid) services to manage the email server and just change my DNS settings so that said emails get routed to the right service. I keep a local copy of all my emails on my desktop (working on a solution to my NAS). So if the company goes to shit? I can migrate my entire existence to a new one within 24 hours (usually less because Cloudflare is really good...).

Currently I use Proton (and hate their sync program). I've seen a LOT of good word on Fastmail and like that they don't have any special sync program at all. Main issue is that Proton still have the best VPN for torrenting (linux ISOs only, obviously) and I need to math out what it would cost to switch to just ProtonVPN and then Fastmail. But (Not That) Will Smith wrote up a really good blog post a few months back where he went into why he likes Fastmail and he (and Brad Shoemaker) tend to be my kind of "Yes, I am making my life harder but for a reason maybe".

load more comments (4 replies)
load more comments (2 replies)
[-] lIlIlIlIlIlIl@lemmy.world 23 points 1 month ago

They’re cooked

[-] hansolo@lemmy.today 10 points 1 month ago

Because 1 coder used Cursor and a bunch of people on Mastadon immediately went to grab the pitchforks because reasons?

How much you want to bet not a single person having a huff about this pays a cent to Proton for anything, and likely doesn't even use them?

[-] independantiste@sh.itjust.works 21 points 1 month ago

I can't wait until you guys get real jobs and then realize that every company that is serious about software development heavily pushes for AI tools such as CLINE or Cursor. I use it at work but I wouldn't say I am vibe coding (mainly because it sucks ass). the reason they deleted the file from the repo is unlikely because they don't want people to know they use AI, it's more likely because AI rules files can contain info that you don't want to be made public

[-] TheOneCurly@feddit.online 18 points 1 month ago

If you're serious about software you push design patterns and code reviews, if you're serious about grifting investors you push LLM nonsense.

[-] independantiste@sh.itjust.works 11 points 1 month ago

I fail to see how those two options are mutually exclusive???

load more comments (2 replies)
load more comments (1 replies)
[-] Eryn6844@beehaw.org 21 points 1 month ago

so if nobody likes proton what do you guys do? i am getting tired of the email shuffle.

[-] Benchamoneh@lemmy.dbzer0.com 15 points 1 month ago

I feel like every email post is a "don't use platform x" and there are very few (if any?) universally well received services out there. In which case the community will probably just give up and go back to Google.

We probably need a tier chart or something to add perspective. Proton have made dumb decisions recently but they're still better than Google/Microsoft

load more comments (3 replies)
load more comments (8 replies)
[-] Electricd@lemmybefree.net 21 points 1 month ago

I don’t really care

[-] SlartyBartFast@sh.itjust.works 16 points 1 month ago

This guy seems somewhat biased against this Proton feller

[-] alsaaas@lemmy.dbzer0.com 16 points 1 month ago

ok and? No other service offers as complete a package as Proton

[-] InFerNo@lemmy.ml 33 points 1 month ago

This is the argument people use when discussing Microsoft products

[-] alsaaas@lemmy.dbzer0.com 13 points 1 month ago* (last edited 1 month ago)

Is M$ stuff provably e2ee? Is Proton a publicly traded company? Does M$ have even close as good a track record as Proton? Are most M$ clients OSS?

Edit: Proton isn't perfect, not by a long stretch. I'm not stanning them either way, but being alarmist and giving in to mob mentality is counterproductive.

For me they just offer the right balance of being partially OSS, strong privacy and strong security that I can pragmatically "overlook" things even as a leftist and free/libre "hardliner" (as I already mentioned: the pragmatic kind. I don't see a point in using Linux-Libre and am ok with proprietary blobs or "tainted" packages for codecs necessary for piracy if there is no alternative and if they don't cause active harm (as in "phoning home" or shit like that. Linux-libre is a detriment to your security BTW)

load more comments (1 replies)
[-] irelephant@lemmy.dbzer0.com 10 points 1 month ago

Yeah, I'm hypocritical with proton, I use it myself, but I think people should just pay a bit more attention to what they're doing.

[-] alsaaas@lemmy.dbzer0.com 11 points 1 month ago

I use it with the full knowledge that they will start to track me and share my IP with Europol if they come with a warrant. (They are unable to comply with anything further, thanks to their e2e architecture)

It is part of my threat model and I use it solely for private stuff.

I couldn't care less that the CEO had one slipup praising a Republican with a seemingly good track record (although I did not investigate that matter)

And being a Luddite about AI is really counterproductive, it has arrived in our society and if correctly utilised will be just another tool used to automate or autocomplete etc.

Basically what your IDE already does but on steroids

(Disclaimer: it's Friday and I'm tired so there is a real – if small – chance I'm being a contrarian armed with superficial knowledge. I can't rly tell myself 🙃)

[-] irelephant@lemmy.dbzer0.com 9 points 1 month ago

I don't think using proton is a personal moral failure, I just think these things are worth discussing.

load more comments (2 replies)
load more comments (3 replies)
[-] cy_narrator@discuss.tchncs.de 8 points 1 month ago

Its like complaining an accountant uses a calculator

[-] Sas@beehaw.org 18 points 1 month ago

A calculator produces reproducible results and does not introduce security flaws into your code that you don't care to look for

load more comments (8 replies)
load more comments
view more: next ›
this post was submitted on 08 Aug 2025
495 points (100.0% liked)

Privacy

3937 readers
13 users here now

Welcome! This is a community for all those who are interested in protecting their privacy.

Rules

PS: Don't be a smartass and try to game the system, we'll know if you're breaking the rules when we see it!

  1. Be civil and no prejudice
  2. Don't promote big-tech software
  3. No apathy and defeatism for privacy (i.e. "They already have my data, why bother?")
  4. No reposting of news that was already posted
  5. No crypto, blockchain, NFTs
  6. No Xitter links (if absolutely necessary, use xcancel)

Related communities:

Some of these are only vaguely related, but great communities.

founded 10 months ago
MODERATORS
otter@lemmy.ca
shaytan@lemmy.dbzer0.com
fxomt@piefed.social