ntfy.sh v2.18.0 was written by AI
-
Definitely share your initial concern. Without strong review processes to ensure that every line of code follows the intent of the human developer, there’s no way of knowing what exactly is in there and the implications for the human users. And I’m not just talking about bugs.
They say it’s reviewed, but the temptation to blindly trust is there. In this case, developer appears to have taken some care.
The code was written by Cursor and Claude, but reviewed and heavily tested over 2-3 weeks by me. I created comparison documents, went through all queries multiple times and reviewed the logic over and over again. I also did load tests and manual regression tests, which took lots of evenings.
Let us hope so. Handle with care to ensure responsibility is not offloaded to a machine instead of a person.
Yeah, it could easily have added a couple of lines of code that sends everything to Northern Korean hackers because it found that in a bunch of repositories or just logging passwords to public logs or other things an experienced developer would never do. "AI" only replicates what it sees most often and as more spam and junk repos are added to its training data because "AI" companies are too concerned with profit to teach it properly, it could do tons of random stuff. It's like training a developer by giving them random examples from the internet rather than specific ones. Of course they pick up bad habits. Even if it "works" it is almost never efficient or secure.
-
Upvote and comment on: https://github.com/binwiederhier/ntfy/issues/1645
Thanks for the link! As a short aside for the other people here: Try not to spam developers. That usually achieves the opposite and makes them miserable, when we want them to not burn out, and write good software for us. A thumbs-up emoji is the correct reaction for the average person. Or for the pros - a code-review highlighting specific issues within the code.
-
According to the release:
Adds experimental PostgreSQL support
The code was written by Cursor and Claude
14,997 added lines of code, and 10,202 lines removed
reviewed and heavily tested over 2-3 weeks
This makes me uneasy, especially as ntfy is an internet facing service. I am now looking for alternatives.
Am I overreacting or do you all share the same concern?
It looks like that tool is more or less built by a single developer (you already trust their judgment anyways!), and even though the code came through in a single PR it was a merge from a branch that had 79 separate commits: https://github.com/binwiederhier/ntfy/pull/1619
Also glancing through it a bit, huge portions of that are straightforward refactors or even just formatting changes caused by adding a new backend option.
I'm not going to say it's fine, but they didn't just throw Claude at a problem and let it rewrite 25k lines of code unnecessarily.
-
I'm a developer
I sometimes sometimes use AI for an answer to a complicated problem because normally I'd open up 20 pages , have to go through them all to find the right answer
AI gets me the answer right away, though it likely is completely wrong or at least partially wrong. Either way, it gives me a general direction and with that I only have to search through one or two pages to confirm, so the same process is just a little faster.
I laso have used AI on a couple of occasions to ask it to write code for a complicated problem. Again, you don't copy the code, god no, it's always the worst, and it is in 80% of the cases still at least riddled with bugs, or just complete bullshit. However, it might give me an alternative idea or a direction to take to implement or fix this complicated feature problem.
That's the extent to which I've used AI and for the foreseeable future that won't change because AI still can't code. It's still wildly flailing around and it might produce something that implements a certain functionality, but it's a guarantee that that functionality will have more bugs and security holes than features
I am also a developer and agree entirely.
Asking for advice, examples or the occasional boilerplate is at most how I use AI and certainly not integrated directly into my IDE.
-
Sure, that would be a little different, but unless you could make a convincing argument, backed up with a solid set of unit tests, at the least, as to why and how you were able to remove that much code whilst only adding a comparatively small amount, I'd still be inclined to reject it and ask for it to be broken down into smaller units.
Now, that explaination might be something along the lines of it being dead code that is not called from anywhere, or even that it was a patched version of an upstream library, and the patch is now included in that upstream, in which case, fair enough, good work, and thanks very much. As a rewrite or refactor though, it's too big to sensibly review and needs breaking down into separate features.
Absolutely, the author needs to be able to reason about their changes, no matter what. However, the reason why I think the two situations are fundamentally different, though, is that it's a lot easier to validate the existence of features than it is the non-existence of bugs or malicious behavior. The biggest risk to removing code is breaking preexisting features, whereas the biggest risk to adding code is introducing malicious behavior.
-
Oh goddamn it, I'm using this and don't have an alternative lined up
What is your concern? If it’s a generic “AI”, then I can assure you tha pretty much every software has AI code in it already. Heck, Linus is accepting PRs where AI has been used.
AI is useful. It produces useful code.
Like creative writing, it won’t produce something novel. But man, 75% of code is just boiler plate. AI can do a lot for boilerplate.
That does not absolve anyone of committing crap code. Put your name to it. Own it. Take the consequence of delivering shit code or great code, no matter how it was written. Don’t let AI be a crutch. But you’d be god damn fool not to use it, where it’s right (boilerplate, test writing, tedious changes etc.)
-
What is your concern? If it’s a generic “AI”, then I can assure you tha pretty much every software has AI code in it already. Heck, Linus is accepting PRs where AI has been used.
AI is useful. It produces useful code.
Like creative writing, it won’t produce something novel. But man, 75% of code is just boiler plate. AI can do a lot for boilerplate.
That does not absolve anyone of committing crap code. Put your name to it. Own it. Take the consequence of delivering shit code or great code, no matter how it was written. Don’t let AI be a crutch. But you’d be god damn fool not to use it, where it’s right (boilerplate, test writing, tedious changes etc.)
There’s a big difference between “AI was used in some capacity” and “Entirely vibe coded”
-
There’s a big difference between “AI was used in some capacity” and “Entirely vibe coded”
Of course. And when I hear “vibe coded”, I hear someone starting with “make me a cool app” and going from there, with zero understanding of the technical architecture.
If you have a thorough, deeply thought through technical spec, then AI can write a great amount of tests up against that spec, say, and you’ve got a fantastic base for TDD.
I honestly feel like a lot of the downvotes are people thinking AI means “clueless programmer having an AI do its work for you”. Many highly productive, deeply technical developers use it every day.
-
It looks like that tool is more or less built by a single developer (you already trust their judgment anyways!), and even though the code came through in a single PR it was a merge from a branch that had 79 separate commits: https://github.com/binwiederhier/ntfy/pull/1619
Also glancing through it a bit, huge portions of that are straightforward refactors or even just formatting changes caused by adding a new backend option.
I'm not going to say it's fine, but they didn't just throw Claude at a problem and let it rewrite 25k lines of code unnecessarily.
Wow a differentiated opinion on AI use
-
Of course. And when I hear “vibe coded”, I hear someone starting with “make me a cool app” and going from there, with zero understanding of the technical architecture.
If you have a thorough, deeply thought through technical spec, then AI can write a great amount of tests up against that spec, say, and you’ve got a fantastic base for TDD.
I honestly feel like a lot of the downvotes are people thinking AI means “clueless programmer having an AI do its work for you”. Many highly productive, deeply technical developers use it every day.
Idk man by the sounds of it, the AI implemented the entire back end change, adding 14k lines of generated code. The dev doesn’t even seem confident with his own testing. Sounds like it’s closer to the vibe-coded end of the scale to me.
I’ve been meaning to give Ntfy a shot but now I likely won’t. If I wanted a vibe coded project I’d just do it myself.
-
What is your concern? If it’s a generic “AI”, then I can assure you tha pretty much every software has AI code in it already. Heck, Linus is accepting PRs where AI has been used.
AI is useful. It produces useful code.
Like creative writing, it won’t produce something novel. But man, 75% of code is just boiler plate. AI can do a lot for boilerplate.
That does not absolve anyone of committing crap code. Put your name to it. Own it. Take the consequence of delivering shit code or great code, no matter how it was written. Don’t let AI be a crutch. But you’d be god damn fool not to use it, where it’s right (boilerplate, test writing, tedious changes etc.)
Massive changes made by robit in what has been a pretty stable utility for years is (obviously?) my main concern. It's absolutely a crutch, and seeing a dev lean on it like this gives me the same feeling Coach must've got seeing his star player limping into the big game on a real one. If dude wants to check out and let the machine run his project fine, but I'll be looking for something someone still cares about and works on.
I think you'd be a fool to use it. At this point it's subsidized by their need for training data/desire to manufacture dependency, but that won't be the case for long. It's expensive, detrimental to your skills, and damaging to both our planet and society. It centralizes and gatekeeps access to information, the most powerful resource of all. "Treat it like an inexperienced dev" managers say, while it replaces their opportunities to gain experience. How are they supposed to even tell great code from shit when everything they're exposed to has been run through the averaging machine?
-
They just replied:
What gave you the idea that this was a full rewrite? I moved things around with AI and added postgres support for the queries. Nobody has ever reviewed and tested anything more thoroughly than I did with this branch.
You are twisting what it actually is. You are assuming something that is not true.
This makes me think that they didn't review or test it at all, lmao
This is the biggest release I've ever done on the server. It's 14,997 added lines of code, and 10,202 lines removed
-
That's from Mozilla, another AI company...
Ugh, seriously? Great...
(Edit) I don't think this is true? They use Mozilla's push services, but nothing about their Codeberg repo (yes, it's on Codeberg, not Github) indicates they're part of Mozilla.
-
According to the release:
Adds experimental PostgreSQL support
The code was written by Cursor and Claude
14,997 added lines of code, and 10,202 lines removed
reviewed and heavily tested over 2-3 weeks
This makes me uneasy, especially as ntfy is an internet facing service. I am now looking for alternatives.
Am I overreacting or do you all share the same concern?
we're all so fucked
-
I just set up a ntfy server for Unified Push earlier this week to use with Matrix. Now I have to turn around and immediately replace it...
You could, in the meantime, simply not upgrade to the version that uses AI.
Since, from what I'm seeing around, people are having issues looking for an alternative.
-
According to the release:
Adds experimental PostgreSQL support
The code was written by Cursor and Claude
14,997 added lines of code, and 10,202 lines removed
reviewed and heavily tested over 2-3 weeks
This makes me uneasy, especially as ntfy is an internet facing service. I am now looking for alternatives.
Am I overreacting or do you all share the same concern?
Well, Telegram does the something for free.
-
there is this repo that lists some slopware :
https://codeberg.org/small-hack/open-slopware
maybe someone can add itdid not know that the serde developer tolnay is a military apologist. I'm disgusted. serde is a very good tool.. I'll think about what to do about this. such a shame...
-
there is this repo that lists some slopware :
https://codeberg.org/small-hack/open-slopware
maybe someone can add itthe linux kernel is on that list, bro it's time to switch!
-
According to the release:
Adds experimental PostgreSQL support
The code was written by Cursor and Claude
14,997 added lines of code, and 10,202 lines removed
reviewed and heavily tested over 2-3 weeks
This makes me uneasy, especially as ntfy is an internet facing service. I am now looking for alternatives.
Am I overreacting or do you all share the same concern?
In reality how big of a risk it currently is? I just started to use it just for fun and personal projects. If previous version didn't have security vulnerabilties then then there is no rush to update or am i missing something?
-
According to the release:
Adds experimental PostgreSQL support
The code was written by Cursor and Claude
14,997 added lines of code, and 10,202 lines removed
reviewed and heavily tested over 2-3 weeks
This makes me uneasy, especially as ntfy is an internet facing service. I am now looking for alternatives.
Am I overreacting or do you all share the same concern?
What's the difference between ntfy (android app) and ntfy.sh?
