this post was submitted on 08 Mar 2026
464 points (94.4% liked)

Selfhosted

56958 readers
1019 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

  7. No low-effort posts. This is subjective and will largely be determined by the community member reports.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
464
ntfy.sh v2.18.0 was written by AI (github.com)
submitted 3 days ago* (last edited 3 days ago) by ueiqkkwhuwjw@lemmy.world to c/selfhosted@lemmy.world
175 comments fedilink hide all child comments
 

According to the release:

Adds experimental PostgreSQL support

The code was written by Cursor and Claude

14,997 added lines of code, and 10,202 lines removed

reviewed and heavily tested over 2-3 weeks

This makes me uneasy, especially as ntfy is an internet facing service. I am now looking for alternatives.

Am I overreacting or do you all share the same concern?

you are viewing a single comment's thread
view the rest of the comments
[–] notabot@piefed.social 62 points 3 days ago (1 children)

I'm assuming this is some sort of canary message to indicate that the code base has been compromised, the author can't talk about it, and everyone should immediately stop using the service. Surely no-one would be unwise enough to commit this otherwise?

Even ignoring the huge red LLM flag, a 25kLOC delta in a single PR should be cause for instant rejection as there's no way to fully understand or test it, let alone in 2-3 weeks.

[–] ExFed@programming.dev 22 points 3 days ago (1 children)

25kLOC delta in a single PR should be cause for instant rejection

Not to pick at nits, but it would be VERY different if it was 1k lines added and 24k lines removed. There's something extremely satisfying about removing 10k+ lines of unnecessary code.

[–] notabot@piefed.social 12 points 3 days ago (1 children)

Sure, that would be a little different, but unless you could make a convincing argument, backed up with a solid set of unit tests, at the least, as to why and how you were able to remove that much code whilst only adding a comparatively small amount, I'd still be inclined to reject it and ask for it to be broken down into smaller units.

Now, that explaination might be something along the lines of it being dead code that is not called from anywhere, or even that it was a patched version of an upstream library, and the patch is now included in that upstream, in which case, fair enough, good work, and thanks very much. As a rewrite or refactor though, it's too big to sensibly review and needs breaking down into separate features.

[–] ExFed@programming.dev 3 points 3 days ago

Absolutely, the author needs to be able to reason about their changes, no matter what. However, the reason why I think the two situations are fundamentally different, though, is that it's a lot easier to validate the existence of features than it is the non-existence of bugs or malicious behavior. The biggest risk to removing code is breaking preexisting features, whereas the biggest risk to adding code is introducing malicious behavior.