{"id":60873,"date":"2025-11-12T08:20:46","date_gmt":"2025-11-12T11:20:46","guid":{"rendered":"https:\/\/manualdousuario.net\/?p=60873"},"modified":"2025-11-12T08:20:46","modified_gmt":"2025-11-12T11:20:46","slug":"keepassxc-codigo-aberto-ia","status":"publish","type":"post","link":"https:\/\/manualdousuario.net\/en\/keepassxc-codigo-aberto-ia\/","title":{"rendered":"How should open source software projects handle AI\u2011generated code?"},"content":{"rendered":"<p>The excellent <a href=\"https:\/\/keepassxc.org\/\">KeePassXC<\/a>, an offline, open\u2011source password manager, is at the center of a controversy over the use of AI\u2011generated code after the project\u2019s collaboration policy and README added <a href=\"https:\/\/github.com\/keepassxreboot\/keepassxc\/blob\/develop\/README.md#generative-ai\">this paragraph<\/a>:<\/p>\n<blockquote><p>Generative AI is fast becoming a first-party feature in most development environments, including GitHub itself. If the majority of a code submission is made using Generative AI (e.g., agent-based or vibe coding) then <strong>we will document that in the pull request<\/strong>. All code submissions go through a rigorous review process regardless of the development workflow or submitter.<\/p><\/blockquote>\n<p>Users and critics backlash was so intense that on Sunday (9<sup>the<\/sup>) one of the project maintainers, Janek Bevendorff, <a href=\"https:\/\/keepassxc.org\/blog\/2025-11-09-about-keepassxcs-code-quality-control\/\">published a post on the official blog<\/a> detailing their stance on AI\u2011generated code.<\/p>\n<p><!--more-->Worth highlighting from the post:<\/p>\n<ol>\n<li>KeePassXC does not have \u2014 and will not have \u2014 AI features.<\/li>\n<li>All PRs are reviewed by a human before being accepted (or rejected).<\/li>\n<li>Generative AI has been used for \u201ccreating pull requests that solve simple and focused issues, add boilerplate code and test cases.\u201d<\/li>\n<\/ol>\n<p>Regardless of what you or I think of AI\u2011generated code, its quality, or ethical concerns about its use, I believe KeePassXC\u2019s position is correct and the flood of criticism, unfair.<\/p>\n<p>First, because it would be impossible to guarantee rejecting all AI\u2011generated code. Tools like GitHub Copilot don\u2019t leave a \u201csignature\u201d when used; developers sometimes mix machine\u2011generated code with code they wrote themselves.<\/p>\n<p>\u201cWe\u2019d rather have them transparently disclose the use of AI than hide it and submit the code against our terms,\u201d Janek wrote.<\/p>\n<p>Second, because the premise that AI\u2011generated code inherently threatens software integrity doesn\u2019t hold up. Yes, AI\u2011generated code can be poor, just as code by inexperienced programmers or malicious actors can be poor or, worse, harmful. It\u2019s easier to sabotage an open\u2011source project as a human than with the help of an AI. Just ask the <a href=\"https:\/\/www.paloaltonetworks.com\/blog\/cloud-security\/npm-supply-chain-attack\/\">recent npm supply\u2011chain attacks<\/a> on popular packages, which show human\u2011led sabotage is real.<\/p>\n<p>The only real risk would be a deluge of poor AI\u2011generated submissions that overwhelm KeePassXC\u2019s five maintainers and create development bottlenecks. There are documented cases of this \u2014 perhaps most notably <a href=\"https:\/\/www.linkedin.com\/posts\/danielstenberg_hackerone-curl-activity-7324820893862363136-glb1\/\">the cURL incident<\/a>. Janek says this hasn\u2019t happened (yet?) with KeePassXC and that \u201cwe will adjust our policies and methods as the need arises.\u201d<\/p>\n<p>Unless someone is willing to store all their passwords in a single <code>*.txt<\/code> file or an encrypted blob, a zero\u2011tolerance policy toward software containing AI\u2011generated code is unlikely to hold. KeePassXC deserves credit for bringing transparency to the issue. Others may not; with closed\/proprietary software you can\u2019t even inspect the code or development practices.<\/p>\n<p>Questioning is legitimate \u2014 and, in fact, healthy. Janek agrees, closing the KeePassXC blog post with these words:<\/p>\n<blockquote><p>So please, be skeptical of AI. But also be skeptical of human strangers as we are to you. If our AI policy toppled your trust in us, ask yourself why you trusted us (or anyone) in the first place. You don\u2019t know us, you trust our reputation, and we earned that by building a stable product, which we will continue to do. You have our full commitment that we will not integrate any AI features into KeePassXC, and we will not merge any code (human or AI) without tests and thorough review. We have high standards; please continue holding us to them, but let\u2019s have a rational and informed conversation.<\/p><\/blockquote>\n","protected":false},"excerpt":{"rendered":"<p>The excellent KeePassXC, an offline, open\u2011source password manager, is at the center of a controversy over the use of AI\u2011generated code after the project\u2019s collaboration policy and README added this paragraph: Generative AI is fast becoming a first-party feature in most development environments, including GitHub itself. If the majority of a code submission is made [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"episode_type":"","audio_file":"","podmotor_file_id":"","podmotor_episode_id":"","cover_image":"","cover_image_id":"","duration":"","filesize":"","filesize_raw":"","date_recorded":"","explicit":"","block":"","itunes_episode_number":"","itunes_title":"","itunes_season_number":"","itunes_episode_type":"","_locale":"en_US","_original_post":""},"categories":[1575],"tags":[1833,1861],"_links":{"self":[{"href":"https:\/\/manualdousuario.net\/wp-json\/wp\/v2\/posts\/60873"}],"collection":[{"href":"https:\/\/manualdousuario.net\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/manualdousuario.net\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/manualdousuario.net\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/manualdousuario.net\/wp-json\/wp\/v2\/comments?post=60873"}],"version-history":[{"count":2,"href":"https:\/\/manualdousuario.net\/wp-json\/wp\/v2\/posts\/60873\/revisions"}],"predecessor-version":[{"id":60875,"href":"https:\/\/manualdousuario.net\/wp-json\/wp\/v2\/posts\/60873\/revisions\/60875"}],"wp:attachment":[{"href":"https:\/\/manualdousuario.net\/wp-json\/wp\/v2\/media?parent=60873"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/manualdousuario.net\/wp-json\/wp\/v2\/categories?post=60873"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/manualdousuario.net\/wp-json\/wp\/v2\/tags?post=60873"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}