- cross-posted to:
- [email protected]
- [email protected]
- cross-posted to:
- [email protected]
- [email protected]
Transcript
A post by [object Object] (@[email protected]) saying: courtesy of @[email protected], Proton is now the only privacy vendor I know of that vibe codes its apps: In the single most damning thing I can say about Proton in 2025, the Proton GitHub repository has a “cursorrules” file. They’re vibe-coding their public systems. Much secure! I am once again begging anyone who will listen to get off of Proton as soon as reasonably possible, and to avoid their new (terrible) apps in any case. https://circumstances.run/@davidgerard/114961415946154957
It has a reply by the author saying: in an unsurprising update for those familiar with how Proton operates, they silently rewrote their monorepo’s history to purge .cursor and hide that they were vibe coding: https://github.com/ProtonMail/WebClients/tree/2a5e2ad4db0c84f39050bf2353c944a96d38e07f
given the utter lack of communication from Proton on this, I can only guess they’ve extracted .cursor into an external repository and continue to use it out of sight of the public
I’m annoyed because I had to go find a tree that actually had the cursor files. If there’s a smoking gun, you gotta fucking link it when you call someone out.
The irony of Proton attempting to remove it this way is that GitHub trees are permanently available. The only way to remove something once a link has been created is to delete the repo. I’d expect a security-minded company to understand that. To me that’s much more egg-on-face than vibe-coding secure applications. Neither is good; only one very explicitly highlights you don’t know shit about security.
AFAIK, unless that tree has signed commits in the history after the commit introducing the cursor files (or it’s otherwise verifiable, like having been linked by a member of their team), that’s not a smoking gun.
I remember a meme that was shared a while ago, where somebody forked the Linux kernel on GitHub, made a joke commit under Linus’s details (which are NOT verified by design), and posted them around. I can’t find an instance of that right now, but here’s a somewhat similar example, where somebody put a fake backdoor in their fork and changed the url to the original repo, which lets them pretend the commit came from the original repo.
I’d love to see a smoking gun to confirm those claims, but commiting as somebody else, with a fake time, and editing history aren’t that difficult - if they could remove the file from history, somebody else could add it to history.