Proton is vibe coding some of its apps.

so if nobody likes proton what do you guys do? i am getting tired of the email shuffle.

I've been using Posteo for years and don't have any complaints.
I feel like every email post is a "don't use platform x" and there are very few (if any?) universally well received services out there. In which case the community will probably just give up and go back to Google.
We probably need a tier chart or something to add perspective. Proton have made dumb decisions recently but they're still better than Google/Microsoft

I’m annoyed because I had to go find a tree that actually had the cursor files. If there’s a smoking gun, you gotta fucking link it when you call someone out.

The irony of Proton attempting to remove it this way is that GitHub trees are permanently available. The only way to remove something once a link has been created is to delete the repo. I’d expect a security-minded company to understand that. To me that’s much more egg-on-face than vibe-coding secure applications. Neither is good; only one very explicitly highlights you don’t know shit about security.

AFAIK, unless that tree has signed commits in the history after the commit introducing the cursor files (or it's otherwise verifiable, like having been linked by a member of their team), that's not a smoking gun.
I remember a meme that was shared a while ago, where somebody forked the Linux kernel on GitHub, made a joke commit under Linus's details (which are NOT verified by design), and posted them around. I can't find an instance of that right now, but here's a somewhat similar example, where somebody put a fake backdoor in their fork and changed the url to the original repo, which lets them pretend the commit came from the original repo.
I'd love to see a smoking gun to confirm those claims, but commiting as somebody else, with a fake time, and editing history aren't that difficult - if they could remove the file from history, somebody else could add it to history.

Its like complaining an accountant uses a calculator

A calculator produces reproducible results and does not introduce security flaws into your code that you don't care to look for
- Then do care to look for? There are PRs, there is a dev that approves changes. It's stupid to resist agentic AIs when they boost productivity by a lot.
i would not trust an accountant who lacks traditional math skills and also that uses a calculator that occasionally returns random numbers

Do you understand the difference between using AI assistance for coding and vibe code?

Yeah using cursor or any AI assistance != vibe coding. I’m just confused why they acted guilty and edited their history without saying anything
That’s literally the definition of “vibe coding”…
- No the "definition" (loose term because it's based on one guys tweet hat invented the word) of vibe coding is to don't read the code, accept any changes and code purely of vibes.

Um, it’s a public repository. You can view the code that’s been added. Even if it IS AI generated, you can review it yourself.

I’m as anti-AI as anyone but this is misplaced AI-alarmism.

can review it yourself.
You're a supervisor and you have 2 employees: Bill and Jim. As a supervisor your job is to ensure the work is being done correctly.
Bill is competent and rarely makes major mistakes. Jim does a decent job most of the time ... but he's also a savant at screwing up -- he regularly fucks up in ways that aren't immediately obvious but are guaranteed to cause serious problems days to weeks from the screw up.
You can glance over Bill's work and be fairly certain it's fine. You need to go over every single piece Jim's work to check for problems, and even then some are probably going to slip through.
AI is currently Jim, and Jim has no business writing code for anything privacy or security focused.
Does anyone here actually review code?
- Only my own code and so far most of it has been unacceptable.
- Yes, and it's one of the most important things I do. Given the AI codegen boom we're seeing, it's also the skill I have that is increasing the fastest in value.
- Does anyone here realize that one person using Cursor doesnt mean "tHeY'rE vIbE cOdInG aCrOsS tHe wHoLe pLaCe!"
- Uh yeah? You’d be stupid not to review code, whether written by an AI or a human. I don’t trust either.
That is pretty immaterial to the issue. The issue is that when it comes to security, it's extremely poor form to rely on unintelligent mimicry.
Probably anti-Proton. I'm no conspiracy theorist, but the amount of pro BlueSky, anti Proton, anti Signal people I see on Lemmy make me wonder sometimes.
- It really reminds me of the Mastodon mob mentality that caused so much trouble for fosstodon :/
- Genuinely most of the people against bluesky/atproto haven't looked into it further than the blogpost by Christine lemmer-webber, and just want to be eliteist about being on the fediverse.

I’d bet they just added it to their global .gitignore where it should be, then removed it because they didn’t want their private dot files committed to a public repo.

I don’t think this user knows much about git works. I don’t think this is nefarious or “vibe coding” as it’s colloquially known to be. It’s a bit much to describe all LLM use blindly as vibe coding, when vibe coding usually means just blanket accepting AI content.

Pretty on point, the .gitignore in the repo has a CLAUDE.md
https://github.com/ProtonMail/WebClients/blob/main/.gitignore
I don't think the concern is as much with the purity of their vibe coding, but rather that they're using an AI-first editor. This will almost certainly mean everything they're coding is being shared with AI provider(s) during the process, which some would view as at odds with Proton's stated emphasis on privacy.
- Is the privacy of their code that much of an issue in this case given its a public repo? Its going to get scraped by the bots regardless.
- Are we really shitting on companies because they have a config file for the wrong editor? Sorry, a config file for the wrong editor (excluding emacs because be as prejudiced as possible against those folk)?
  Do I like "AI First" editors? Hell no. But VSCode is rapidly making that pivot and I don't know the lineage of Cursor well enough to know if it also used to be "just any other editor". And, from a quick google, it supports local LLMs (e.g. ollama), so the "Big AI is going to have all your code" problem is mitigated...
  Also, the repo is on Github. Big AI (Microsoft) already HAS all their code. And before we have "Well you should selfhost a gitea!": If your website is public facing, it has been scraped by "AI". And if your open source project is hidden behind ten paywalls? I am not gonna finish that joke because people get really pedantic and pissy when you try to define "Open Source".
  At the end of the day: At a project level? If active code review by qualified developers is going on, I really don't care how the code was written. I DO care about those individual developers and their abilities as they continue to use "AI" based tools but... that is a different discussion.
  I WOULD be interested in a link to the actual offending file. I've been part of enough projects where it was easier to just have dotfiles for every major editor because you have a wide range of contributors and no true scotsman doesn't have one of the local vimrc style plugins running. Whereas if it is massive instructions on how to generate code, I would get a lot more worried.
  But an unsourced screenshot of a discussion thread ain't it.
- But isn’t this a public repo?
- Privacy for a codebase is not the same as privacy for me. Security through obscurity would be more at odds with privacy for the end user.

And still no drive client for Linux..Fuck those guys :)

Their Linux VPN client might as well not exist. No kill switch and it randomly disconnects/crashes. Sometimes it completely borks networking necessitating a reboot, which I guess can be better than just leaking your IP?
- tf you mean? kill switch does work, doesn't randomly disconnect and it doesn't really bork it for me. skill issue? guess my distro based on my pfp
- Isolating the VPN into docker + gluetun should (should) solve that particular issue.
- I just use plain old openvpn configs. Once my credit runs out ill switch to mullvad. They were the best option for a time, but that changes.
Rclone foo!

I don’t really care

ok.
- Valid answer!

ok and? No other service offers as complete a package as Proton

This is the argument people use when discussing Microsoft products
- Is M$ stuff provably e2ee? Is Proton a publicly traded company? Does M$ have even close as good a track record as Proton? Are most M$ clients OSS?
  Edit: Proton isn't perfect, not by a long stretch. I'm not stanning them either way, but being alarmist and giving in to mob mentality is counterproductive.
  For me they just offer the right balance of being partially OSS, strong privacy and strong security that I can pragmatically "overlook" things even as a leftist and free/libre "hardliner" (as I already mentioned: the pragmatic kind. I don't see a point in using Linux-Libre and am ok with proprietary blobs or "tainted" packages for codecs necessary for piracy if there is no alternative and if they don't cause active harm (as in "phoning home" or shit like that. Linux-libre is a detriment to your security BTW)
Yeah, I'm hypocritical with proton, I use it myself, but I think people should just pay a bit more attention to what they're doing.
- I use it with the full knowledge that they will start to track me and share my IP with Europol if they come with a warrant. (They are unable to comply with anything further, thanks to their e2e architecture)
  It is part of my threat model and I use it solely for private stuff.
  I couldn't care less that the CEO had one slipup praising a Republican with a seemingly good track record (although I did not investigate that matter)
  And being a Luddite about AI is really counterproductive, it has arrived in our society and if correctly utilised will be just another tool used to automate or autocomplete etc.
  Basically what your IDE already does but on steroids
  (Disclaimer: it's Friday and I'm tired so there is a real – if small – chance I'm being a contrarian armed with superficial knowledge. I can't rly tell myself 🙃)

I’ll hold my judgment given that this source of this is that massive asshole, David Gerard.

This guy seems somewhat biased against this Proton feller

How far have the mighty fallen.

Thinking of moving my main e-mail address to tuta. Alas, haven't been able to find a good provider that uses tried-and-true protocols like IMAP.

posteo.net
mailbox.org
disroot.org
- Disroot is in my 👀 now because you guys reminded me it was already, some time ago. Let's see how that one goes!
I would very much consider doing some actual research on tuta. Last I checked, they put a LOT of effort into preventing you from controlling your own inbox (Proton have their god awful sync program but it works). And their support forums were basically nothing but constant complaints of downtimes and outages.
My current approach, that I am slowly migrating everything toward (from gmail), is my own domain that I own and addresses at that. I then use (paid) services to manage the email server and just change my DNS settings so that said emails get routed to the right service. I keep a local copy of all my emails on my desktop (working on a solution to my NAS). So if the company goes to shit? I can migrate my entire existence to a new one within 24 hours (usually less because Cloudflare is really good...).
Currently I use Proton (and hate their sync program). I've seen a LOT of good word on Fastmail and like that they don't have any special sync program at all. Main issue is that Proton still have the best VPN for torrenting (linux ISOs only, obviously) and I need to math out what it would cost to switch to just ProtonVPN and then Fastmail. But (Not That) Will Smith wrote up a really good blog post a few months back where he went into why he likes Fastmail and he (and Brad Shoemaker) tend to be my kind of "Yes, I am making my life harder but for a reason maybe".
- not email but are there any good alternatives for cloud storage? i backup some of my passwords and pictures to my proton drive manually
mailbox.org
- Love mailbox.org, got the lite plan for €12 per year and works like a charm. Can use the secure mail address or the reg and just paste your public key into to use with Thunderbird.
Hold your horses buddy it ain't that bad, but if you want an alternative, Try Disroot
- Tried that once, long ago, but I honestly don't remember why I couldn't complete the signup. Maybe an essay, or an issue with e-mail verification.
  Might have to take a look at it again!
Posteo?
- Looks paid, I prefer to discard any possible solutions on my country's currency before I even take a look at having to deal with international KYC shit.

I can't wait until you guys get real jobs and then realize that every company that is serious about software development heavily pushes for AI tools such as CLINE or Cursor. I use it at work but I wouldn't say I am vibe coding (mainly because it sucks ass). the reason they deleted the file from the repo is unlikely because they don't want people to know they use AI, it's more likely because AI rules files can contain info that you don't want to be made public

If you're serious about software you push design patterns and code reviews, if you're serious about grifting investors you push LLM nonsense.
- I fail to see how those two options are mutually exclusive???
mainly because it sucks ass
So many people ignore this and repeat the Big tech PR talking points about AI. I had a colleague enthuse about AI agents, then demonstrate it and say “well it’s currently a little bit shit”
The fuck people! Wake up!

They’re cooked

Because 1 coder used Cursor and a bunch of people on Mastadon immediately went to grab the pitchforks because reasons?
How much you want to bet not a single person having a huff about this pays a cent to Proton for anything, and likely doesn't even use them?

I’m definitely vibe coding all my stuff, why wouldn’t I? I’m still responsible for what I commit to main but it’s so much faster to get shit done like this

If you don’t break the project style, other code, and you actually test and review what you write, then yea
- Yeah that’s the idea. seems like many people are thinking that either you don’t do code reviews at all or you’re writing every line of code yourself even if AI could have done a lot of grunt work.