According to the release:
Adds experimental PostgreSQL support
The code was written by Cursor and Claude
14,997 added lines of code, and 10,202 lines removed
reviewed and heavily tested over 2-3 weeks
This makes me uneasy, especially as ntfy is an internet facing service. I am now looking for alternatives.
Am I overreacting or do you all share the same concern?
You must log in or register to comment.
ts getting you pinned to 2.17 in the compose file 🥹🤞🥀
Sigh. Time to switch to gotify
been using EMQX plus an MQTT client on my phone for a few months now, I like it better than gotify since the app was chewing through my battery like a vampire.
it might be better now since my issues happened three-ish years ago.
we’re all so fucked
It looks like that tool is more or less built by a single developer (you already trust their judgment anyways!), and even though the code came through in a single PR it was a merge from a branch that had 79 separate commits: https://github.com/binwiederhier/ntfy/pull/1619
Also glancing through it a bit, huge portions of that are straightforward refactors or even just formatting changes caused by adding a new backend option.
I’m not going to say it’s fine, but they didn’t just throw Claude at a problem and let it rewrite 25k lines of code unnecessarily.
Any AI usage immediately discredits the software for me, because it calls into question all of their past and future work.
Something like https://graphite.com/ to create stacked PRs that are reviewable probably would have helped. Can be replicated with local LLMs or remote AI providers with locally configured agentic workflows. Never used graphite personally, but I’ve seen some open source maintainers use it to split up large PRs.
Wow a differentiated opinion on AI use :)
What’s the difference between ntfy (android app) and ntfy.sh?
Ntfy.sh is the hosted version. Hosted by the author. Ntfy (android, ios) is the app that you use as a client.
I’ve never used ntfy.sh
I’ve only used Ntfy app for Universal Push that some apps need, and they recommend ntfy. Does this affect the app then? Ah, if so, what alternative can I use for just that purpose?
Gotify is probably the next best thing, at least in terms of self hosted. Though doesn’t have the wide support of ntfy.
I’m a developer
I sometimes sometimes use AI for an answer to a complicated problem because normally I’d open up 20 pages , have to go through them all to find the right answer
AI gets me the answer right away, though it likely is completely wrong or at least partially wrong. Either way, it gives me a general direction and with that I only have to search through one or two pages to confirm, so the same process is just a little faster.
I laso have used AI on a couple of occasions to ask it to write code for a complicated problem. Again, you don’t copy the code, god no, it’s always the worst, and it is in 80% of the cases still at least riddled with bugs, or just complete bullshit. However, it might give me an alternative idea or a direction to take to implement or fix this complicated feature problem.
That’s the extent to which I’ve used AI and for the foreseeable future that won’t change because AI still can’t code. It’s still wildly flailing around and it might produce something that implements a certain functionality, but it’s a guarantee that that functionality will have more bugs and security holes than features
I understand this comment. AI sometimes saves a ton of mental power and time when I’m stuck on an issue. It can give some really good suggestions. Also, AI is a godsend for frontend shit. I don’t care what y’all say, I’m never touching CSS and HTML ever again. lmao.
I am also a developer and agree entirely.
Asking for advice, examples or the occasional boilerplate is at most how I use AI and certainly not integrated directly into my IDE.
Well, Telegram does the something for free.
Telegram does the thing for your sweet juicy data
@ueiqkkwhuwjw just this quote at the start of the release notes
> 14,997 added lines of code, and 10,202 lines removed, all from one pull request
This is already a major red flag even without the ai stuff right? Can’t believe anyone would flaunt that like this.
In reality how big of a risk it currently is? I just started to use it just for fun and personal projects. If previous version didn’t have security vulnerabilties then then there is no rush to update or am i missing something?
Look, if he wanted to introduce AI code, whatever, but doing it all at once in a 14k line change is crazy.
Surely it would be better to introduce AI by letting it handle misc changes here and there instead of starting with the “biggest release ever done” (his words), no?
I’m assuming this is some sort of canary message to indicate that the code base has been compromised, the author can’t talk about it, and everyone should immediately stop using the service. Surely no-one would be unwise enough to commit this otherwise?
Even ignoring the huge red LLM flag, a 25kLOC delta in a single PR should be cause for instant rejection as there’s no way to fully understand or test it, let alone in 2-3 weeks.
25kLOC delta in a single PR should be cause for instant rejection
Not to pick at nits, but it would be VERY different if it was 1k lines added and 24k lines removed. There’s something extremely satisfying about removing 10k+ lines of unnecessary code.
Sure, that would be a little different, but unless you could make a convincing argument, backed up with a solid set of unit tests, at the least, as to why and how you were able to remove that much code whilst only adding a comparatively small amount, I’d still be inclined to reject it and ask for it to be broken down into smaller units.
Now, that explaination might be something along the lines of it being dead code that is not called from anywhere, or even that it was a patched version of an upstream library, and the patch is now included in that upstream, in which case, fair enough, good work, and thanks very much. As a rewrite or refactor though, it’s too big to sensibly review and needs breaking down into separate features.
Absolutely, the author needs to be able to reason about their changes, no matter what. However, the reason why I think the two situations are fundamentally different, though, is that it’s a lot easier to validate the existence of features than it is the non-existence of bugs or malicious behavior. The biggest risk to removing code is breaking preexisting features, whereas the biggest risk to adding code is introducing malicious behavior.
They are not even trusting it themselves. This is from the release notes
I’ll not instantly switch ntfy.sh over. Instead, I’m kindly asking the community to test the Postgres support and report back to me if things are working
Fuck that.
Classic “test in production” strategy, very solid!
Test in production is the best. We spent months warning from data bugs and nobody bat an eye (upstream bug, not our responsibility but we noticed) When it was d launched in prod we just pointed out the bug that nobody fixed was still there and immediately a war room was formed and the bug fixed within an hour.
It honestly seems more efficient to let shit hit the fan than to fight everybody to do their job.
You’re implying a shitty capitalist company that nobody cares for if it burns down. A tool like this though that is self-hosted by a lot of people (29.1k stars on GH!) and that is internet-facing is very different.
Then, let’s just call it “massive decentralized surprise testing”
For sure, the song of the hero who fixed the production bug is oft sang at meetings but the loser who prevented the bug to begin with gets no credit.
Hmm, no, I think I’ll just uninstall.
Fuck, I love ntfy, it’s one of the best self hosted push notification systems I’ve used. It has been flawless so far.
Don’t like this.
there is this repo that lists some slopware : https://codeberg.org/small-hack/open-slopware maybe someone can add it
did not know that the serde developer tolnay is a military apologist. I’m disgusted. serde is a very good tool… I’ll think about what to do about this. such a shame…
I think there’s room for a little bit of nuance that page doesn’t do a great job of describing. In my opinion there’s a huge difference between volunteer maintainers using AI PR checks as a screening measure to ease their review burden and focusing their actual reviews on PRs that pass the AI checks, and AI-deranged lone developers flooding the code with “AI features” and slopping out 10kloc PRs for no obvious reason.
Just because a project is using AI code reviews or has an AGENTS.md is not necessarily a red flag. A yellow flag, maybe, but the evidence that the Linux Kernel itself is on that list should serve as an example of why you can’t just kneejerk anti-AI here. If you know anything about Linus Torvalds you know he has zero tolerance for bad code, and the use of AI is not going to change that despite everyone’s fears. If it doesn’t work out, Linus will be the first one to throw it under the bus.
Upvote this guy
the linux kernel is on that list, bro it’s time to switch!
Also Chrome, Firefox ans Ladybird!
Awesome page, thanks. Have bookmarked.
Harfbuzz though? That’s going to take some replacing. Hopefully someone will fork an earlier version. The thing that it does (accurate multi-script font shaping) is difficult to do; requires a lot of rule-of-thumb knowledge that’s unlikely to be possessed by a single person, needs a lot of collaboration.
Uovote and comment on: https://github.com/binwiederhier/ntfy/issues/1645
Please add this to the post.
