If you want some entertainment value, check out AI tools on Github. For example the popular VS Code extension Continue.dev. The devs do everything with AI and so do people contributing. A lot of the issues are pure nonsense and the pull requests are hilarious.
The code is terrible as well, with lots of weird stuff and duplicate code. A friend of mine pointed out an issue where there was a bug with certain boundaries when parsing text. This bug keeps popping up, even though people are trying to fix it. The text parser is a mess, with all sorts of weird code paths caused by just vibe coding the whole thing line by line and then playing whack-a-mole with the bugs. The bot kept on “fixing” it by adding more checks and adding more mess. It suggested implementing helper functions to clean some of that shit up, but those helper functions were already implemented a dozen times elsewhere in the code. All slightly different of course, to create more bugs. It’s honestly a wonder it all works and the devs just telling the bot: “Fix it” doesn’t inspire me with confidence.
Vibe coding is so fucking terrible. I already doubt an experienced dev being “assisted” by a clanker can deliver the same level of quality with the same efficiency and effort. People who don’t exactly know what they are doing and are just vibing make for terrible results.
Last week a colleague wanted to “win me over” on AI coding (after I wrote a rather negative code review on stuff “he” had written). So we took a simple task, something I could do in about 1-2 hours max. It wasn’t super straightforward, but not exactly hard either. So I started a timer and did the task, ended up taking 78 mins, so within estimate. After that we sat down together and he would do the task with his AI tools and show me how well it works. We spent the rest of the day with that, at first he tried with one of the lesser capable models. It didn’t understand the task, messed things up beyond repair or made some really weird decisions. Multiple times the bot said it was done, where items on the todo list weren’t completed. So after a couple of hours we switched to a different model, which did better, but still failed on a couple of important aspects. In the end we simply couldn’t get a satisfactory result out of the bots, no matter how much coaching and correcting he did. He was going to think about a better example and would show me again next week, so I’m looking forward to that.
The thing that also annoyed me was how long it took. My colleague would type a prompt or connect some tools together and then the thing would go and do stuff in the background. We would sit around for minutes at a time, until we got the result and then had to look at it all and correct / amend etc. The start-stop nature of AI coding really bugged me, it was jarring and left me figuring out what we were doing exactly multiple times. We sat together and were chatting about all sorts of stuff, which probably didn’t help, but still.
Continue.dev. Source-controlled AI checks, enforceable in CI. Powered by the open-source Continue CLI
This is the best part is like all of these tools that have this much AI slop are the ones with full CI access so they are the ones that get targetted for supply chain attacks. It absolutely hilarious how many supply chain attacks are “ai that protects your repo” or “AI powered CI security”
Want to prevent supply chain attacks? lock your dependencies. Don’t let anything touch your code in the CI pipeline. if you use actions fork them and use yours. Turn off any github bots you have enabled. Put your code into an org. Make a separate user account that’s the only admin for your repos. Store the creds only in a trusted password manager. Require all merges to be PRs. Make it so your main account can’t override that rule. There’s more but this would have blocked like 99% of the last 6 huge AI driven supply chain attacks
If you want some entertainment value, check out AI tools on Github. For example the popular VS Code extension Continue.dev. The devs do everything with AI and so do people contributing. A lot of the issues are pure nonsense and the pull requests are hilarious.
The code is terrible as well, with lots of weird stuff and duplicate code. A friend of mine pointed out an issue where there was a bug with certain boundaries when parsing text. This bug keeps popping up, even though people are trying to fix it. The text parser is a mess, with all sorts of weird code paths caused by just vibe coding the whole thing line by line and then playing whack-a-mole with the bugs. The bot kept on “fixing” it by adding more checks and adding more mess. It suggested implementing helper functions to clean some of that shit up, but those helper functions were already implemented a dozen times elsewhere in the code. All slightly different of course, to create more bugs. It’s honestly a wonder it all works and the devs just telling the bot: “Fix it” doesn’t inspire me with confidence.
Vibe coding is so fucking terrible. I already doubt an experienced dev being “assisted” by a clanker can deliver the same level of quality with the same efficiency and effort. People who don’t exactly know what they are doing and are just vibing make for terrible results.
Last week a colleague wanted to “win me over” on AI coding (after I wrote a rather negative code review on stuff “he” had written). So we took a simple task, something I could do in about 1-2 hours max. It wasn’t super straightforward, but not exactly hard either. So I started a timer and did the task, ended up taking 78 mins, so within estimate. After that we sat down together and he would do the task with his AI tools and show me how well it works. We spent the rest of the day with that, at first he tried with one of the lesser capable models. It didn’t understand the task, messed things up beyond repair or made some really weird decisions. Multiple times the bot said it was done, where items on the todo list weren’t completed. So after a couple of hours we switched to a different model, which did better, but still failed on a couple of important aspects. In the end we simply couldn’t get a satisfactory result out of the bots, no matter how much coaching and correcting he did. He was going to think about a better example and would show me again next week, so I’m looking forward to that.
The thing that also annoyed me was how long it took. My colleague would type a prompt or connect some tools together and then the thing would go and do stuff in the background. We would sit around for minutes at a time, until we got the result and then had to look at it all and correct / amend etc. The start-stop nature of AI coding really bugged me, it was jarring and left me figuring out what we were doing exactly multiple times. We sat together and were chatting about all sorts of stuff, which probably didn’t help, but still.
This is the best part is like all of these tools that have this much AI slop are the ones with full CI access so they are the ones that get targetted for supply chain attacks. It absolutely hilarious how many supply chain attacks are “ai that protects your repo” or “AI powered CI security”
Want to prevent supply chain attacks? lock your dependencies. Don’t let anything touch your code in the CI pipeline. if you use actions fork them and use yours. Turn off any github bots you have enabled. Put your code into an org. Make a separate user account that’s the only admin for your repos. Store the creds only in a trusted password manager. Require all merges to be PRs. Make it so your main account can’t override that rule. There’s more but this would have blocked like 99% of the last 6 huge AI driven supply chain attacks