this post was submitted on 16 Jan 2026
87 points (93.1% liked)

Technology

78880 readers
2776 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
87
About KeePassXC’s Code Quality Control – KeePassXC (keepassxc.org)
submitted 4 days ago by difficult@sh.itjust.works to c/technology@lemmy.world
4 comments fedilink hide all child comments
 

At KeePassXC, we use AI for two main purposes:

  1. As an additional pair of “eyes” in code reviews. In this function, AI summarises the changes (the least helpful part) and points out implementation errors a human reviewer may have missed. AI reviews don’t replace maintainer code review, nor do they relieve maintainers from their due diligence. AI code reviews complement our existing CI pipelines that perform unit tests, memory checks, and static code analysis (CodeQL). As such, they are a net benefit and make KeePassXC strictly safer. Some examples of AI reviews in action: example 1, example 2.
  2. For creating pull requests that solve simple and focused issues, add boilerplate code and test cases. Unfortunately, some people got the impression that KeePassXC was now being vibe coded. This is wrong. We do not vibe code, and no unreviewed AI code makes it into the code base. Full stop. We have used Copilot agent to draft pull requests, which are then subsequently tweaked in follow-up commits, and reviewed by a maintainer, openly for anyone to see, with the same scrutiny as any other submission. Good pull requests are merged (example), bad pull requests are rejected (example).
you are viewing a single comment's thread
view the rest of the comments
[–] PierceTheBubble@lemmy.ml 0 points 3 days ago* (last edited 3 days ago)

AI reviews don’t replace maintainer code review, nor do they relieve maintainers from their due diligence.

I can't help but to always be a bit skeptical, when reading something like this. To me it's akin to having to do calculations manually, but there's a calculator right beside you. For now, the technology might not yet be considered sufficiently trustworthy, but what if the clanker starts spitting out conclusions, which equal a maintainer's, like 99% of the time? Wouldn't (partial) automation of the process become extremely tempting, especially when the stack of pull request starts piling up (because of vibecoding)?

Such a policy would be near-impossible to enforce anyway. In fact, we’d rather have them transparently disclose the use of AI than hide it and submit the code against our terms. According to our policy, any significant use of AI in a pull request must be disclosed and labelled.

And how exactly do you enforce that? It seems like you're just shifting the problem.

Certain more esoteric concerns about AI code being somehow inherently inferior to “real code” are not based in reality.

I mean, there's hallucination concerns, there's licensing conflicts. Sure, people can also copy code from other projects with incompatible licenses, but someone without programming experience is less likely to do so, than when vibecoding with a tool directly trained on such material.

Malicious and deceptive LLMs are absolutely conceivable, but that would bring us back to the saboteur.

If Microsoft itself, would be the saboteur, you'd be fucked. They know the maintainers, because GitHub is Microsoft property, and so is the proprietary AI model, directly implemented in the toolchain. A malicious version of Copilot could, hypothetically, be supplied to maintainers, specifically targeting this exploit. Microsoft is NOT your friend, it closely works together with government organizations; which are increasingly interested in compromising consumer privacy.

For now, I do believe this to be a sane approach to AI usage, and believe developers to have the freedom to choose their preferred environment. But the active usage of such tools, does come with a (healthy) dose of critique, especially with regards to privacy-oriented pieces of software; a field where AI has generally been rather invasive.