- cross-posted to:
- privacy@programming.dev
- cross-posted to:
- privacy@programming.dev
Transcript
A post by [object Object] (@zzt@mas.to) saying: courtesy of @davidgerard@circumstances.run, Proton is now the only privacy vendor I know of that vibe codes its apps: In the single most damning thing I can say about Proton in 2025, the Proton GitHub repository has a “cursorrules” file. They’re vibe-coding their public systems. Much secure! I am once again begging anyone who will listen to get off of Proton as soon as reasonably possible, and to avoid their new (terrible) apps in any case. https://circumstances.run/@davidgerard/114961415946154957
It has a reply by the author saying: in an unsurprising update for those familiar with how Proton operates, they silently rewrote their monorepo’s history to purge .cursor and hide that they were vibe coding: https://github.com/ProtonMail/WebClients/tree/2a5e2ad4db0c84f39050bf2353c944a96d38e07f
given the utter lack of communication from Proton on this, I can only guess they’ve extracted .cursor into an external repository and continue to use it out of sight of the public
You must log in or # to comment.
They provide no evidence of vibe coding at all. Just because someone is using an IDE with AI (which is most now) doesn’t prove anything.
No one is using Cursor for the IDE feel; Cursor is just a VSCode without MS language servers and with extra AI. It’s an objectively worse experience to use Cursor over VSCode, except if you vibe code.
That’s not exactly proof.
If the evil didn’t convince people to abandon Proton, maybe a little bit of AI will. Amazing.
I’m annoyed because I had to go find a tree that actually had the cursor files. If there’s a smoking gun, you gotta fucking link it when you call someone out.
The irony of Proton attempting to remove it this way is that GitHub trees are permanently available. The only way to remove something once a link has been created is to delete the repo. I’d expect a security-minded company to understand that. To me that’s much more egg-on-face than vibe-coding secure applications. Neither is good; only one very explicitly highlights you don’t know shit about security.
AFAIK, unless that tree has signed commits in the history after the commit introducing the cursor files (or it’s otherwise verifiable, like having been linked by a member of their team), that’s not a smoking gun.
I remember a meme that was shared a while ago, where somebody forked the Linux kernel on GitHub, made a joke commit under Linus’s details (which are NOT verified by design), and posted them around. I can’t find an instance of that right now, but here’s a somewhat similar example, where somebody put a fake backdoor in their fork and changed the url to the original repo, which lets them pretend the commit came from the original repo.
I’d love to see a smoking gun to confirm those claims, but commiting as somebody else, with a fake time, and editing history aren’t that difficult - if they could remove the file from history, somebody else could add it to history.
Absolutely fair! The other commits in that tree for the
.cursorfolder match existing contributors. This unchanged PR and this unchanged PR both contain the same structure. This tree comes from this unmerged, closed PR which also matches. This closed issue, commented on by maintainers, references this tree which corroborates the other unlinked commit tree. (Edit: I stopped because I got bored; see the other unchanged issues and PRs that show a rewrite of history)Attribution is never 100% especially when APTs are concerned. I am confident when I say there is way more evidence here showing the files officially exist and were officially part of the tree than many of the very confident yet unconfirmed APT attributions we actively rely on.
I don’t know what APT stands for in this context, but just one PR/comment from a trusted contributor seems like plenty of proof, you really went and did your homework, and then mine too ;D
Advanced Persistent Threat. For example, we assume the Lazarus Group is responsible for several high profile attacks. We don’t have anything close to the evidence here for direct attribution; using that as a bar I’d say the Proton attribution is pretty strong. Since my callout was security-focused, I wanted to ground it in other security terms. Your point was completely spot on and it was a great reminder to me because sometimes I forget the basics.
For folks that don’t know, there are a few bad things with the Proton response. First and foremost, you don’t rewrite
mainever just from a development perspective. It usually causes more trouble than it’s worth unless you’re a team of one and no one else has ever touched your repo. From a security perspective, it’s very misleading to assume rewriting history can clear history from GitHub as I hope I’ve shown here. Additionally, anyone with a local copy of the repo from before the rewrite can use the reflog to access that history. While it won’t work for any new pulls post-rewrite, it’s still a risk for a large repo like this.The correct way to handle this or other sensitive information being added to a repo is to use remove the file in a merge and rotate any secrets exposed. Take the hit on the chin; security is just about reducing risk not removing it. I have cleaned up plenty of repos before. Tools like gitleaks can search your active tree as well as your history for exposed secrets. Delete, commit, own the failure. Proper ignore files, meticulous review, and automated checks also help reduce risk.
Overall that’s why I think this is dumb. To me it would be a non-issue if a security-minded company had used security best practices to handle this.
so if nobody likes proton what do you guys do? i am getting tired of the email shuffle.
I self host my mail. There are plenty of people telling you not to do so, but I sincerely have made very good experience with it the last 10 years. The absolute minimum you should do is to have your own domain, otherwise you are in a vendor lockin.
Then, use PGP where possible with an open source mail client such as thunderbird.
I feel like every email post is a “don’t use platform x” and there are very few (if any?) universally well received services out there. In which case the community will probably just give up and go back to Google.
We probably need a tier chart or something to add perspective. Proton have made dumb decisions recently but they’re still better than Google/Microsoft
I dont hope to find a secure email platform anymore. If i have some info i want to protect i can encrypt it myself before sending, or send it via some secure instant messaging like signal. Email is too hard to make secure, and in he end of the day, the other person youre talking to probably has a gmail or something. Its not worth the hassle imo. There are other ways to have secure communication, outside emails.
This is a great point. We spend so much time naval gazing on the best platform for our side, but what about the other side? Might as well use any old service and encrypt your private comms specifically. Yes it’s effort to encrypt but I think it’s the best compromise of privacy without housing your own mailserver
it’s good to keep secure communications separate anyways, so you don’t accidentally send the secret message to the wrong place or without the security measures.
i don’t get why people want it in the same place as their fucking gaming chats, imagine sending state secrets to #fursuit-showoff because you didn’t notice which specific channel you’re in
I’ve been using Posteo for years and don’t have any complaints.
How is the initial storage limit?
I use GPG in Thunderbird with ForwardEmail (because I use a custom domain)
self host. you can get great deals on domains and have whatever you want. Hell in many cases you can get free domains with hosting. my domain is a .ca (i’m Canadian) and I got it free for 2 years with a hosting plan that costs me $50 a year. So I’m already saving over Proton, It’s local to me, and I can have unlimited accounts and bandwidth. I also use it to host my portfolio site.
Then I also have my own home server which I use for VPN, Backups, Bitwarden, Git Repos, torrents/media, even have my own searx search engine on it.
I host other stuff, but isn’t email a pain to get working and not marked as spam?
I haven’t had any issues with it being marked as spam as of yet.
Um, it’s a public repository. You can view the code that’s been added. Even if it IS AI generated, you can review it yourself.
I’m as anti-AI as anyone but this is misplaced AI-alarmism.
can review it yourself.
You’re a supervisor and you have 2 employees: Bill and Jim. As a supervisor your job is to ensure the work is being done correctly.
Bill is competent and rarely makes major mistakes. Jim does a decent job most of the time … but he’s also a savant at screwing up – he regularly fucks up in ways that aren’t immediately obvious but are guaranteed to cause serious problems days to weeks from the screw up.
You can glance over Bill’s work and be fairly certain it’s fine. You need to go over every single piece Jim’s work to check for problems, and even then some are probably going to slip through.
AI is currently Jim, and Jim has no business writing code for anything privacy or security focused.
This is a great example since AI isn’t taking on the role of an independent software engineer here, so there is no “Jim” and this is much less of an issue than y’all are making it out to be. You know that auto-correct is also a form of ML right? Have you considered that tools can be used responsibly and that standards for software developers still apply even when they use new tools?
You know that auto-correct is also a form of ML right?
Yeah, and I don’t fuckin use it.
Also, my auto-correct is saying that sentence is missing a comma, so I guess you don’t either.
Cool that’s great. Can you tell me that none of the software you use has been developed by software engineers making use of machine learning methods?
I can: I do not use any software.
Hahaha
Does anyone here actually review code?
Only my own code and so far most of it has been unacceptable.
i once wrote a script to launch a program with specific flags that i think was mostly correct, it holds center place on my CV
Pure, unabashed honesty. I love it. 🫶
Yes, and it’s one of the most important things I do. Given the AI codegen boom we’re seeing, it’s also the skill I have that is increasing the fastest in value.
yes as a consultant/freelancer THIS is where the majority of my work is coming from now. if you’re good at this SERIOUSLY consider consulting and freelancing for various companies that are now desperately trying to fix their AI tech debt. It’s the ONE thing that is completely in demand right now due to the sheer incompetence of all these places that decided vibe coding and AI was the way to go.
you have no idea how much money you can potentially be making right now doing this. I’m booked solid for the rest of the year purely because of this.
Not gonna really be thing long-term. Up front savings vs customer long term retention. The up front savings are what business cares about. So yeah you’ll get some companies who fucked up. Most just double down on the a. I.
What you’re doing is entering the bargain-phase
Uh yeah? You’d be stupid not to review code, whether written by an AI or a human. I don’t trust either.
I’m guessing OP means code you use rather than code you write, in other words auditing. Likely very few of us do that with any thoroughness. IIRC proton does have some independent auditing.
That’s what I mean too. Y’all don’t just copy-paste from stack overflow praying it works do you?
That obviously not what they meant. They mean, do you review the code for every open source application you use? Do you review every library you utilize? I’m willing to be it’s a no for both of these, because no one has time for that.
No, like proton mail app. Have you reviewed it? Or Signal or Veracrypt or TheNewHotness.
Does anyone here realize that one person using Cursor doesnt mean “tHeY’rE vIbE cOdInG aCrOsS tHe wHoLe pLaCe!”
Then why didn’t they just say that instead of being shady and rewriting history?
Because thier bosses aren’t accounta le to you and I? That don’t have to say a dn thing
that would make sense if it wasn’t a fucking business selling the promise of security lol
Again. They don’t answer to us. They don’t have to say anything
Now. I agree that they SHOULD. It would be not only be better buisness, BUT its the right thing yo do
But no, they don’t. The should.
oh so you just want to be annoyingly pedantic, cool
Because it’s also not a great idea to expose your rules files, and tell people first “oh shit, we mentioned rules files. Please don’t look!” before
I’ll be honest here, I’ve had less dogmatic conversations with conspiracy theorists about COVID. If you just need to make this a huge problem that later turns out to be a nothingburger and you’ll never look back and grow as a human, then hey, you do you. But know that you’ll look like a fool to anyone that isn’t a goldfish and remembers more than 3 months at a time. Because you clearly don’t know what’s a big deal and what’s not, and this is a Grade A waste of all our time to pitch a fit about.
That is pretty immaterial to the issue. The issue is that when it comes to security, it’s extremely poor form to rely on unintelligent mimicry.
Probably anti-Proton. I’m no conspiracy theorist, but the amount of pro BlueSky, anti Proton, anti Signal people I see on Lemmy make me wonder sometimes.
Proton CEO did it to the company…
Signal requires a phone number… If you don’t see an issue with that… Then you live in a better place than the rest of us. I am happy for you.
Signal is the sad compromise for the people I hold dearest because I refuse to use Messenger anymore and SMS is a joke with how glaringly unencrypted/de-facto wiretapped it is.
I’d love to get everyone on SimpleX but they already look at me like a wacko over Signal. The convenience tax is just non-negotiable for them and I have no idea how to bypass it.
I used to be a big proponent of simplex even if I dont use it with anyone, but I was told that the main developer supports tr*mp and m*sk… If you go to their github, they only link twitter as their social media and if you check their account…
https://github.com/epoberezkin (dunno if were allowed to share twitter links)
Talks about “far-left radicals”, says that nazis were socialist etc. etc. … Really yikes
TBH I feel like so many project leaders are wackos that I don’t even judge the products by those, just by things they do. I still have hope in Simplex, but there were a couple of red flags, such as content scanning proposals, including clientside. Sure, it can probably be relatively easily forked to remove that specific thing, or you can choose the servers that don’t do that, but it’s still alarming that they try.
Yuck. Well then again we sit in Lemmy, and the lead dev is a proud tankiest tankie. Open source do be like that.
Lol, got a point there
Simplex ain’t ready… So ain’t pushing it as of now.
Once it is normie ready, I will start the move.
Signal is a temp solution
With that being said, I agree 100% with your comment. We work with what we got today!
For private communication Signal is the gold standard LOL
Not everyone needs shitty xmpp extensions, Matrix that lacks PFS and is enshitiffying as we speak (I say as an avid user) or overkill like SimpleX or Briar.
Sure… But you are also feeding NSA meta data on your communications which is whatever I guess for most people but I don’t like it
You seem to be misinformed. Signals architecture is explicitly designed in a way to minimise metadata as much as possible. You can look up the data they had to hand over due to lawsuits, it was absolutely minimal
First - I’m not sure Sealed Sender would help against the server being changed to be actively malicious and trying to build social graphs. Second - even metadata concerns aside, a centralized system is just not resilient. Proposals like Chat Control are A LOT more easily enforceable with them than with tiny selfhosted servers.
minimise
Just enough, just enough
Download portmaster and review signal connections ;)
I know that Signal runs on US cloud infrastructure (like AWS IRRC)
Doesn’t change a thing about it’s security or what they hand to disclose to authorities
The question is not is Proton perfect in every conceivable way, the question is: is it more private than Google and the answer to that is yes.
When you opine on social media that Proton is somehow just as bad as Google you are helping doing the work of Google and that’s the part that (again I don’t truly believe this) makes me wonder if Google/Meta/Twitter is sowing the social web with seeds of doubt about more private alternatives.
Proton ceo is a pedo king bootlicker and their product lacks focus was my criticism.
You ain’t never gonna catch me defending sundar the creep and rest of them parasites
You may want to double check that.
I didn’t say defending, I said helping. Which you are.
You are entitled to you opinion
It really reminds me of the Mastodon mob mentality that caused so much trouble for fosstodon :/
Genuinely most of the people against bluesky/atproto haven’t looked into it further than the blogpost by Christine lemmer-webber, and just want to be eliteist about being on the fediverse.
I’d bet they just added it to their global .gitignore where it should be, then removed it because they didn’t want their private dot files committed to a public repo.
I don’t think this user knows much about git works. I don’t think this is nefarious or “vibe coding” as it’s colloquially known to be. It’s a bit much to describe all LLM use blindly as vibe coding, when vibe coding usually means just blanket accepting AI content.
Pretty on point, the .gitignore in the repo has a CLAUDE.md
https://github.com/ProtonMail/WebClients/blob/main/.gitignore
I don’t think the concern is as much with the purity of their vibe coding, but rather that they’re using an AI-first editor. This will almost certainly mean everything they’re coding is being shared with AI provider(s) during the process, which some would view as at odds with Proton’s stated emphasis on privacy.
Is the privacy of their code that much of an issue in this case given its a public repo? Its going to get scraped by the bots regardless.
Yeah, this logic would encompass all open source projects. Hell, my comment right now will be read by an AI. Why? I’m posting it in a public place.
Because every interaction with the monster is an influence on its next iteration.
The committed code in the repo will get scraped anyway, but the data used in testing is a different story. Not that anyone’s ever tested with prod data.
I don’t think the issue is a practical one though. It’s more the company that stands on promises of privacy using tools that are overtly share-happy that seems to be a ideological discrepancy.
But in case my initial comment’s “I don’ think…” wasn’t clear enough, this was my attempt at understanding why this might be a concern (or at least of interest) to folks in this community, not a personal statement of condemnation or anything. I personally could not give less of a shit what code editor they use.
But isn’t this a public repo?
Are we really shitting on companies because they have a config file for the wrong editor? Sorry, a config file for the wrong editor (excluding emacs because be as prejudiced as possible against those folk)?
Do I like “AI First” editors? Hell no. But VSCode is rapidly making that pivot and I don’t know the lineage of Cursor well enough to know if it also used to be “just any other editor”. And, from a quick google, it supports local LLMs (e.g. ollama), so the “Big AI is going to have all your code” problem is mitigated…
Also, the repo is on Github. Big AI (Microsoft) already HAS all their code. And before we have “Well you should selfhost a gitea!”: If your website is public facing, it has been scraped by “AI”. And if your open source project is hidden behind ten paywalls? I am not gonna finish that joke because people get really pedantic and pissy when you try to define “Open Source”.
At the end of the day: At a project level? If active code review by qualified developers is going on, I really don’t care how the code was written. I DO care about those individual developers and their abilities as they continue to use “AI” based tools but… that is a different discussion.
I WOULD be interested in a link to the actual offending file. I’ve been part of enough projects where it was easier to just have dotfiles for every major editor because you have a wide range of contributors and no true scotsman doesn’t have one of the local vimrc style plugins running. Whereas if it is massive instructions on how to generate code, I would get a lot more worried.
But an unsourced screenshot of a discussion thread ain’t it.
I wasn’t shitting on anybody. You’re ranting is misdirected.
Privacy for a codebase is not the same as privacy for me. Security through obscurity would be more at odds with privacy for the end user.
Do you understand the difference between using AI assistance for coding and vibe code?
Yeah using cursor or any AI assistance != vibe coding. I’m just confused why they acted guilty and edited their history without saying anything
Maybe they did the git stuff for some other reason. I mean the files are still there 🤷🏼♀️
I’m a bit tired of the Proton employee bumped into a tourist and didn’timmediately say sorry sort or posts about proton.
One is completely idiotic and dangerous and the other is merely stupid and risky?
OK Luddite
luddite is a compliment, not an insult.
Like, go actually read about them, the luddites were fighting against capitalists replacing workers with machines.
We’re talking about a privacy-first platform, but ok.
Hey, guess what: Luddites were not afraid of technological advancement. They were a solidarity movement to ensure they got fair treatment from owners and managers as their jobs changed with the industrial revolution. You tried to insult someone, but essentially called them pro-union, which is pretty cool, imo. Check out Blood In The Machine.
WORKERS FIRST!
at least I can write code without a LLM babysitter.
I wire my code by hand like a real coder.
No punch cards?
I use butterflies
Nawww good job! Do you want a golden star for writing all that boiler plate, getter/setter methods etc. by hand?
Buddy, if you were writing all that boilerplate by hand before AI, then AI wasn’t the solution to your problems. It takes almost no time at all to write a parameterized code snippet in any modern IDE
Your syntax and overall comprehension are pretty shite. You may not vibe code, (allegedly) but you may be better off vibe posting. I know the rest of us would be, that way. 🤢🤌🏼
That’s literally the definition of “vibe coding”…
Removed by mod
Way to tell on yourself by replying in completely the wrong thread.
No the “definition” (loose term because it’s based on one guys tweet hat invented the word) of vibe coding is to don’t read the code, accept any changes and code purely of vibes.
Oh that’s what it means? Ok I think we’re all confused because it’s literally just from one tweet! I need to look this up.
Wait, there is a full Wikipedia article that I knew I looked at recently: https://en.wikipedia.org/wiki/Vibe_coding
This is entirely wrong?
Not entirely, but the crux is here
“Karpathy described it as “fully giving in to the vibes, embracing exponentials, and forgetting that the code even exists.””
I only read the intro and definition sections, but the article lines up exactly with what Evotech said.
From the article you cited. Did you read it?
Unlike traditional AI-assisted coding or pair programming, the human developer avoids micromanaging the code, accepts AI-suggested completions liberally, and focuses more on iterative experimentation than code correctness or structure. Karpathy described it as “fully giving in to the vibes, embracing exponentials, and forgetting that the code even exists.”
It’s not.
make a directory, init a git repo, start claude code in that directory, feed it a prompt (a good vibe coder will utilize another LLM to write them the prompt), then hit shift+tab a couple times, got watch youtube.
that’s vibe coding.
How is this proof of vibecoding?
Cursor is an AI-powered code editor that understands your codebase and helps you code faster through natural language. Just describe what you want to build or change and Cursor will generate the code for you.
Using cursor doesn’t mean you’re vibe coding.
I use ai all day at work for development, none of it is vibe coding.
Yeah there’s a big difference in code quality between using cursor as an aid to write code and vibe coding which would be asking it to write and debug large swathes of code with little human input. AI is very good at correctly writing a couple lines at a time. It quickly loses the plot when trying to write hundreds of lines or more and the human user has no idea what it’s doing anymore.
Sure, but even VS code has been pushing Copilot pretty hard and from the screenshots the setups look fairly similar. It’s a recently released code editor with their own personal AI built in vs. VS Code which has the AI as an extension (or built in, I don’t know what the default install is like these days).
If they’re using it to auto complete lines of code or fill out boilerplate then I don’t see the problem. If they’re typing “make me a password manager” into the prompt window, hitting enter, and accepting it blindly, that’s a problem. Also the code is (at least in this case) open source, so there should be better evidence of bad vibe coded code than the presence of a config file
I think there are better things to criticise Proton for, and unless there is more to the vibe coding than using the Cursor, citing this as a reason will get those other criticisms ignored in the noise.
It doesn’t matter Proton is the whipping boy of the fediverse
I wish it was
If you were smart enough to look for an answer to the actual question being asked instead of assuming it’s a rhetorical that agrees with your bias you’d have learned something today.
Cursor is an “ai powered” code editor, cursorrules is a file it uses for configuration.
Unfortunately, so is Visual Studio and VS Code.
The presence of an AI assistant isn’t evidence of vibe coding. Even using that AI assistant to auto-complete lines or small sections of boilerplate isn’t vibe coding. To do that you need to ask the AI for whole swaths of code and then just accept what it gives you.
Proton’s repo here is open source. What portion of it presents issues? Any?
Why would you use Cursor instead of VS (the standard for decades) if you’re not going to use the AI features Cursor was specifically created for?
Sure, but cursor is different since it’s marketed as an Ai editor. VScode is just a general one.
Proton’s repo here is open source. What portion of it presents issues? Any?
Ai code is plausible bullshit, it may work, it may have bugs or vulnerabilities. It’s harder to spot these since its plausible bullshit.
but cursor is different since it’s marketed as an Ai editor. VScode is just a general one.
See, that is just the thing: VS Code is marketed as an AI editor. The homepage is literally an autoplaying video of an AI writing code with this title, big and bold, right at the top of the screen:
Poor choice of words on my part, The only appeal of cursor over vscode is the ai features.
This really depends on what their code review process looks like. When I review code, I honestly don’t care how it was generated, I look at the requirements and the code, and determine whether the code meets the requirements. How the code was generated doesn’t impact that at all.
Dude, you’re flaming a company because one of the tools they use is marketed as using AI? You gotta be kidding me. If your bar for privacy requires you to dive down this deep into a company’s asshole, you might as well just become Amish
Poor choice of words on my part, The only appeal of cursor over vscode is the ai features.
this is, after all, why we review and trst code.
Your opinion is based on your ideology of what’s wrong and good, but it is not factual
And still no drive client for Linux…Fuck those guys :)
Their Linux VPN client might as well not exist. No kill switch and it randomly disconnects/crashes. Sometimes it completely borks networking necessitating a reboot, which I guess can be better than just leaking your IP?
Isolating the VPN into docker + gluetun should (should) solve that particular issue.
I’ve never heard of this before! I read this a bit: https://pimylifeup.com/docker-gluetun/
What is the benefit here? I have no experience with containers, so I’m not really sure what I’m encapsulating there.
A container runs the utility in an isolated environment without having to alter your base system’s packages, dependencies, etc. Assuming the bork that necessitates a reboot is not a kernel or hardware issue, this would mean that if you get hit with that issue again in a container, what dies is the container itself, rather than your system as a whole. So you’re isolating 1.- package management 2.- network config and (potentially) 3.- “blast radius”.
(That said, this is the first time I’ve ever heard that Proton would bork the networking to the point of requiring a whole system reboot.)
Thanks for explaining!
Don’t thank me yet, as I said, this is the first time I’ve ever heard of this kind of bork, so I’m hoping this would fix / sidestep it! :p
I was thanking you for the explanation. I need to spend some time playing with containers and understanding how to manage applications that way.
I just use plain old openvpn configs. Once my credit runs out ill switch to mullvad. They were the best option for a time, but that changes.
tf you mean? kill switch does work, doesn’t randomly disconnect and it doesn’t really bork it for me. skill issue? guess my distro based on my pfp
Rclone foo!
How far have the mighty fallen.
Thinking of moving my main e-mail address to tuta. Alas, haven’t been able to find a good provider that uses tried-and-true protocols like IMAP.
Love mailbox.org, got the lite plan for €12 per year and works like a charm. Can use the secure mail address or the reg and just paste your public key into to use with Thunderbird.
I’ll be considering it, but if I have to deal with paid services in this good year of Arceus of 2025 I’d prefer them to at least deal with my national currency directly, or fall within my country’s jurisdiction.
I’ve made an exception for SDF simply because 1.- they’re awesome and 2.- the payment is one-time-only.
That’s what I’m in the process of switching to
Disroot is in my 👀 now because you guys reminded me it was already, some time ago. Let’s see how that one goes!
I would very much consider doing some actual research on tuta. Last I checked, they put a LOT of effort into preventing you from controlling your own inbox (Proton have their god awful sync program but it works). And their support forums were basically nothing but constant complaints of downtimes and outages.
My current approach, that I am slowly migrating everything toward (from gmail), is my own domain that I own and addresses at that. I then use (paid) services to manage the email server and just change my DNS settings so that said emails get routed to the right service. I keep a local copy of all my emails on my desktop (working on a solution to my NAS). So if the company goes to shit? I can migrate my entire existence to a new one within 24 hours (usually less because Cloudflare is really good…).
Currently I use Proton (and hate their sync program). I’ve seen a LOT of good word on Fastmail and like that they don’t have any special sync program at all. Main issue is that Proton still have the best VPN for torrenting (linux ISOs only, obviously) and I need to math out what it would cost to switch to just ProtonVPN and then Fastmail. But (Not That) Will Smith wrote up a really good blog post a few months back where he went into why he likes Fastmail and he (and Brad Shoemaker) tend to be my kind of “Yes, I am making my life harder but for a reason maybe”.
not email but are there any good alternatives for cloud storage? i backup some of my passwords and pictures to my proton drive manually
Its not cheap to start with, but the best thing you can do is just go buy a 2 or 4 bay synology (I hear ugreen is also good. Fuck qnap) and set up a local home NAS. The vast majority of people will never need more than that and you can back up all your photos and documents in a form factor you can grab when evacuating a burning building.
For essential stuff where you do want/need an off site backup? All of these cloud services are backed up by Amazon et al storage. Do a bit of research (there are plenty of pre-rolled solutions but people get pissy and annoying) and figure out how to encrypt the important docs and push them to cheap storage. Not free but you are literally paying pennies on the dollar compared to any other paid back-up service and… if the storage is free then you are the product.
Or, if you really don’t care: Learn to encrypt your sensitive important data and put it in a google drive.
would hndl be a concern?
That is up to you how much you care and what encryption schemes you use (which I intentionally will not make a recommendation on). Best practices is to maintain your own off site backups but… good luck.
That said? If we reach the point that the “good” encryptions are trivially decryptable then the entire modern world is already collapsing as e’rybody goes after the banks and governments. Otherwise? That is going to cost significant compute resources. How important do you think you are that someone is going to track a random bucket to you and then focus on decrypting those tax documents?
Hold your horses buddy it ain’t that bad, but if you want an alternative, Try Disroot
Tried that once, long ago, but I honestly don’t remember why I couldn’t complete the signup. Maybe an essay, or an issue with e-mail verification.
Might have to take a look at it again!
Posteo?
Looks paid, I prefer to discard any possible solutions on my country’s currency before I even take a look at having to deal with international KYC shit.
I don’t really care
ok.
Valid answer!
What question do you think you asked?
There never was a question
Kind of the point I was making…
Can answers only be given for questions, or can they also mean ”reaction"?
Sure. It’ll still never earn respect.
Yes.
This guy seems somewhat biased against this Proton feller
They’re cooked
Because 1 coder used Cursor and a bunch of people on Mastadon immediately went to grab the pitchforks because reasons?
How much you want to bet not a single person having a huff about this pays a cent to Proton for anything, and likely doesn’t even use them?
Its like complaining an accountant uses a calculator
deleted by creator
A calculator produces reproducible results and does not introduce security flaws into your code that you don’t care to look for
Then do care to look for? There are PRs, there is a dev that approves changes. It’s stupid to resist agentic AIs when they boost productivity by a lot.
Citation that isn’t anecdotes please, only actual study I’ve seen into this was a ~19% drop and even that was flimsy.
19% drop in what?
Uh, idk how they got that number. It goes against the observations of literally everyone in the industry, so maybe it’s not the industry that is biased, but the benchmark they did is incorrect?
Like just several sprints before I’ve saved my team by generating proto contracts taking backend repo as a context, as backend was busy with other higher important things to unblock us. No AI here means we would be blocked full stop for the entire sprint. And when backend did generate the contract, it was almost identical, and the diff in contracts allowed to identify the issue in the entities they send.
True, some tasks can be done faster without AI, because you have the context and the amount of code volume is actually fairly low.
But
while the “high developer familiarity with [the] repositories” aided their very human coding efficiency in these tasks.
My brother in Christ, in big enterprise project chances that you have some familiarity with the code, well, they are non-zero, but also not that high.
Uh, idk how they got that number. It goes against the observations of literally everyone in the industry,
Scientific study vs anecdotal data, that’s what studies are supposed to be, the formalisation and distillation of data into conclusions based on said data.
so maybe it’s not the industry that is biased, but the benchmark they did is incorrect?
Possibly, do you know how that’s normally tested ?
Like just several sprints before I’ve saved my team by generating proto contracts taking backend repo as a context, as backend was busy with other higher important things to unblock us. No AI here means we would be blocked full stop for the entire sprint. And when backend did generate the contract, it was almost identical, and the diff in contracts allowed to identify the issue in the entities they send.
Anecdote, from a single person.
I don’t doubt that that is your experience, but it’s just that, your experience.
and before you bring out the “but everyone i know all says the same”, that’s still anecdotal, it’s what anecdotal means.
My brother in Christ, in big enterprise project chances that you have some familiarity with the code, well, they are non-zero, but also not that high.
I mean, sure ? i’m not sure how that is relevant though.
As i said, the one study i’ve seen is somewhat flimsy…
Do you have literally any other study to backup any claims to the contrary?
My original comment was in response to :
It’s stupid to resist agentic AIs when they boost productivity by a lot.
That might be true, but for it to be applicable the productivity boost needs to be real, and for public claims to be taken seriously, provably real.
That you, personally, think you are seeing this is great, works for you.
I’ll hold my judgment given that the source of this is that massive asshole, David Gerard.
why do you think he is an asshole?
He’s a Wikipedia editor that abuses his power. Look him up.
