Comment by deng
9 days ago
No. The main reasons are that
1) the code AI produces is full of problems, and if you show it, people will make fun of you, or
2) if you actually run the code as a service people can use, you'll immediately get hacked by people to prove that the code is full of problems.
1) no one cares if it works. No one cared before how your code looked as long as you are not a known and well used opensource project.
2) there are plenty of services which do not require state or login and can't be hacked. So still plenty of use cases you can explore. But yes i do agree that Security for production live things are still the biggest worry. But lets be honest, if you do not have a real security person on your team, the shit outthere is not secure anyway. Small companies do not know how to build securely.
> 1) no one cares if it works. No one cared before how your code looked as long as you are not a known and well used opensource project.
Forgive me if this is overly blunt, but this is such a novice/junior mindset. There are many real world examples of things that "worked" but absolutely should not have, and when it blows up, can easily take out an entire company. Unprotected/unrestricted firebase keys living in the client are all the rage right now, yea they "work"until someone notices "hey, I technically have read/write god mode access to their entire prod DB", and then all of a sudden it definitely doesn't work and you've possibly opened yourself to a huge array of legal problems.
The more regulated the industry and the more sensitive the business data, the worse this is exacerbated. Even worse if you're completely oblivious to the possibility of these kinds of things.
> Forgive me if this is overly blunt, but this is such a novice/junior mindset.
Unfortunately the reality is there are far more applications written (not just today but for many years now) by developer teams that will include a dozen dependencies with zero code review because feature XYZ will get done in a few days instead of a few weeks.
And yes, that often comes back to bite the team (mostly in terms of maintenance burden down the road, leading to another full rebuild), but it usually doesn't affect the programmers who are making the decisions, or the project managers who ship the first version.
I'm an architect and have 20 years of experience.
I have seen production databases reachable from the internet with 8 character password and plenty others.
But my particular point is only about the readability of code from others.
You should go hack the Cloudflare Workers OAuth stuff then, right?
You seem to think I'm an AI coding hater or something. I'm not. I think these tools are incredibly useful and I use them daily. However, like described in the article, I do am skeptical about stories where AI writes whole applications, SaaS or game engines in a few hours and everything "just works". That is not my experience.
The Cloudflare OAuth lib is impressive, I will readily admit that. But they also clearly mention that of course everything was carefully reviewed, and that not everything was perfect but that the AI was mostly able to fix things when told to. This was surely still a lot of work, which makes this story also much more realistic in my opinion. It surely greatly sped up the process of writing an OAuth library - how much exactly is however hard to say. Especially in security-relevant code, the review process is often longer than the actual writing of the code.
I don't know why you're giving me two paragraphs of response. I'm not psychoanalyzing you. I had a simple suggestion: if agent code output is so bad nobody runs it because it would get people owned, go own up the code Kenton generated.
How are both of these not simply the second case they provided?