AI policy

[mttaggart]

Given some other major projects' rather unfortunate embrace of generative models in their development pipeline, it would be reassuring to me (and many others, I'm sure) for this project to adopt a firm stance on the use of generative code. Ideally, that stance would be one of categorical rejection, but clarification of the policy in any direction would be deeply appreciated.

[vae-21]

Just found out today that apparently Bitwarden is using vibe coding these days, which I thought was the push I needed to switch to KeePassXC. Only, they also use sparkly autocorrect.. Using Vaulwarden with Bitwardens browser extension wouldn't be ideal, but better than the current alternatives at least. Assuming this project does have a "no 'ai' allowed" stance?

[stefan0xC]

To my knowledge there only has been one (obvious) attempt to submit a PR with AI generated code #6193 (comment) which has not been accepted - so yeah I don't think that we formally have such a policy since it hasn't become a problem yet (I mean we don't have our own code of conduct either but rely mostly on common sense and that users adhere to the side-wide acceptable use policies which sets some guidelines for collaborative work for all users).

Given that the use of generative AI raises also ethical concerns about copyright infringement and might even be incompatible with the AGPLv3 license if it's reusing incompatibly licensed code verbatim I would caution against accepting PRs written by generative AI and I'd also support a firm policy against that but I can't speak for the maintainers. Since @BlackDex requested a review from Copilot (in the above PR but also in #5742 (comment) 8 months ago) it might be a different question to use it for reviewing purposes. However judging from the quality of the review (as it seems superfluous or rather questionable as well) and because it also hasn't been used since I don't think that we will really embrace AI like KeePassXC has done anytime soon anyway because reviewing code (even seemingly simple ones) takes time as well. And yeah I'd rather we work on a proper testing infrastructure before starting to rely on AI written code.

Disclosure: I have used Copilot myself once to generate an architecture diagram for Vaultwarden #5847 (comment)

[durka]

Hi, I'm wondering about this too, especially with the recent news about Bitwarden making some suspicious corporate changes. I'd prefer to be able to self-host a password manager that isn't at all vibe coded.

The block-claude-on-github trick does show the dreaded "claude has been here" banner on this repo, seemingly due to this commit. There's also this one. Obviously, the former commit is trivial, but it does exist; the latter is larger but it's unclear exactly what "some help" means since it doesn't have the formal Co-authored-by thing 🤷.

Anyways, I'm really not trying to start a firestorm here, and I'm encouraged by @stefan0xC's views expressed above, but it might not be a bad idea to spell out a policy in a CONTRIBUTING.md or something.

[BlackDex]

There was a small conversation about this in our Matrix channel too, of which ill post a screenshot here.

TLDR: We apply the same policy to all contributions, AI or Human. Humans can create as bad as code as AI, or as good as code as AI.

Regarding the commit you mentioned, which came via #7068, that is such a harmless change, which wasn't even really needed, but is it more idiomatic Rust code, yes. Panic's shouldn't happen at all, but from my point of few this doesn't really optimize the code base, but it also does not hurt, so no harm done here, low hanging fruit found by an LLM.

Regarding my PR you also revere too, #7163, As mentioned, i had a bit of help, it was a more complex change and it was a security bug. What i did was asked the LLM what possible solutions would be to fix it, and i checked, adjusted and implemented it my self. Hence I mentioned I had some help from Claude Code, not that I let Claude fix it all by it self and didn't looked at it afterwards.

[BlackDex]

Also, a small remark regarding blocking Claude user in GitHub. That will only help so much, as that if a user lets it adjust the code, and then commits if fully via there own account, you will never know it could have been vibe-coded, so it will give you a false sense of control from my point of view.

[durka]

Thank you for the context! This is disappointing but I'm glad to know the maintainers' views. From my perspective, looking at perceived code quality is a bit of a distraction, the issue is that if nobody wrote the code then nobody understands it, meaning it's harder to maintain and debug. Also there are the ethical and environmental issues. But this isn't my project and I'm not telling you what to do, it just makes me pessimistic about the future direction.

[BlackDex]

To be clear, if we do not understand the code, we will not merge it. Again, doesn't matter if this is written by a Human or LLM!