433
Proton is vibe coding some of its apps. (lemmy.dbzer0.com)
submitted 4 days ago* (last edited 4 days ago) by [email protected] to c/[email protected]
204 comments fedilink hide all child comments

TranscriptA post by [object Object] (@[email protected]) saying: courtesy of @[email protected], Proton is now the only privacy vendor I know of that vibe codes its apps: In the single most damning thing I can say about Proton in 2025, the Proton GitHub repository has a “cursorrules” file. They’re vibe-coding their public systems. Much secure! I am once again begging anyone who will listen to get off of Proton as soon as reasonably possible, and to avoid their new (terrible) apps in any case. https://circumstances.run/@davidgerard/114961415946154957

It has a reply by the author saying: in an unsurprising update for those familiar with how Proton operates, they silently rewrote their monorepo’s history to purge .cursor and hide that they were vibe coding: https://github.com/ProtonMail/WebClients/tree/2a5e2ad4db0c84f39050bf2353c944a96d38e07f

given the utter lack of communication from Proton on this, I can only guess they’ve extracted .cursor into an external repository and continue to use it out of sight of the public

top 50 comments
sorted by: hot top new old
[-] [email protected] 154 points 4 days ago

Um, it’s a public repository. You can view the code that’s been added. Even if it IS AI generated, you can review it yourself.

I’m as anti-AI as anyone but this is misplaced AI-alarmism.

[-] [email protected] 84 points 4 days ago

Does anyone here actually review code?

[-] [email protected] 240 points 4 days ago

Only my own code and so far most of it has been unacceptable.

[-] [email protected] 47 points 4 days ago

Pure, unabashed honesty. I love it. 🫶

[-] [email protected] 2 points 2 days ago

i once wrote a script to launch a program with specific flags that i think was mostly correct, it holds center place on my CV

load more comments (16 replies)
[-] [email protected] 33 points 4 days ago* (last edited 4 days ago)

can review it yourself.

You're a supervisor and you have 2 employees: Bill and Jim. As a supervisor your job is to ensure the work is being done correctly.

Bill is competent and rarely makes major mistakes. Jim does a decent job most of the time ... but he's also a savant at screwing up -- he regularly fucks up in ways that aren't immediately obvious but are guaranteed to cause serious problems days to weeks from the screw up.

You can glance over Bill's work and be fairly certain it's fine. You need to go over every single piece Jim's work to check for problems, and even then some are probably going to slip through.

AI is currently Jim, and Jim has no business writing code for anything privacy or security focused.

load more comments (5 replies)
[-] [email protected] 20 points 4 days ago

That is pretty immaterial to the issue. The issue is that when it comes to security, it's extremely poor form to rely on unintelligent mimicry.

load more comments (23 replies)
[-] [email protected] 6 points 3 days ago

They provide no evidence of vibe coding at all. Just because someone is using an IDE with AI (which is most now) doesn't prove anything.

load more comments (2 replies)
[-] [email protected] 38 points 4 days ago

I’m annoyed because I had to go find a tree that actually had the cursor files. If there’s a smoking gun, you gotta fucking link it when you call someone out.

The irony of Proton attempting to remove it this way is that GitHub trees are permanently available. The only way to remove something once a link has been created is to delete the repo. I’d expect a security-minded company to understand that. To me that’s much more egg-on-face than vibe-coding secure applications. Neither is good; only one very explicitly highlights you don’t know shit about security.

[-] [email protected] 14 points 4 days ago

AFAIK, unless that tree has signed commits in the history after the commit introducing the cursor files (or it's otherwise verifiable, like having been linked by a member of their team), that's not a smoking gun.

I remember a meme that was shared a while ago, where somebody forked the Linux kernel on GitHub, made a joke commit under Linus's details (which are NOT verified by design), and posted them around. I can't find an instance of that right now, but here's a somewhat similar example, where somebody put a fake backdoor in their fork and changed the url to the original repo, which lets them pretend the commit came from the original repo.

I'd love to see a smoking gun to confirm those claims, but commiting as somebody else, with a fake time, and editing history aren't that difficult - if they could remove the file from history, somebody else could add it to history.

load more comments (3 replies)
[-] [email protected] 100 points 4 days ago

I’d bet they just added it to their global .gitignore where it should be, then removed it because they didn’t want their private dot files committed to a public repo.

I don’t think this user knows much about git works. I don’t think this is nefarious or “vibe coding” as it’s colloquially known to be. It’s a bit much to describe all LLM use blindly as vibe coding, when vibe coding usually means just blanket accepting AI content.

load more comments (10 replies)
[-] [email protected] 47 points 4 days ago

Do you understand the difference between using AI assistance for coding and vibe code?

[-] [email protected] 19 points 4 days ago

One is completely idiotic and dangerous and the other is merely stupid and risky?

load more comments (10 replies)
[-] [email protected] 9 points 4 days ago

Yeah using cursor or any AI assistance != vibe coding. I’m just confused why they acted guilty and edited their history without saying anything

load more comments (1 replies)
load more comments (10 replies)
[-] [email protected] 20 points 4 days ago

so if nobody likes proton what do you guys do? i am getting tired of the email shuffle.

[-] [email protected] 16 points 4 days ago

I feel like every email post is a "don't use platform x" and there are very few (if any?) universally well received services out there. In which case the community will probably just give up and go back to Google.

We probably need a tier chart or something to add perspective. Proton have made dumb decisions recently but they're still better than Google/Microsoft

[-] [email protected] 7 points 3 days ago

I dont hope to find a secure email platform anymore. If i have some info i want to protect i can encrypt it myself before sending, or send it via some secure instant messaging like signal. Email is too hard to make secure, and in he end of the day, the other person youre talking to probably has a gmail or something. Its not worth the hassle imo. There are other ways to have secure communication, outside emails.

[-] [email protected] 2 points 2 days ago

This is a great point. We spend so much time naval gazing on the best platform for our side, but what about the other side? Might as well use any old service and encrypt your private comms specifically. Yes it's effort to encrypt but I think it's the best compromise of privacy without housing your own mailserver

[-] [email protected] 2 points 2 days ago

it's good to keep secure communications separate anyways, so you don't accidentally send the secret message to the wrong place or without the security measures.

i don't get why people want it in the same place as their fucking gaming chats, imagine sending state secrets to #fursuit-showoff because you didn't notice which specific channel you're in

load more comments (8 replies)
[-] [email protected] 63 points 4 days ago

How is this proof of vibecoding?

load more comments (18 replies)
[-] [email protected] 39 points 4 days ago

And still no drive client for Linux..Fuck those guys :)

load more comments (10 replies)
[-] [email protected] 4 points 3 days ago

If the evil didn’t convince people to abandon Proton, maybe a little bit of AI will. Amazing.

load more comments
view more: next ›
this post was submitted on 08 Aug 2025
433 points (85.1% liked)

Privacy

3490 readers
14 users here now

Welcome! This is a community for all those who are interested in protecting their privacy.

Rules

PS: Don't be a smartass and try to game the system, we'll know if you're breaking the rules when we see it!

  1. Be civil and no prejudice
  2. Don't promote big-tech software
  3. No apathy and defeatism for privacy (i.e. "They already have my data, why bother?")
  4. No reposting of news that was already posted
  5. No crypto, blockchain, NFTs
  6. No Xitter links (if absolutely necessary, use xcancel)

Related communities:

Some of these are only vaguely related, but great communities.

founded 9 months ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]