[Wowfunhappy]

I'm a (relatively new) math teacher. I realized I don't like writing on the whiteboard, so I bought myself a cheap Wacom Tablet off eBay. But then I couldn't find any existing Wacom-compatible software that was designed for my usecase—teaching in front of a live class of ten-year-olds, so last weekend I "vibe-coded" an app for myself. I just used the app for the first time while teaching today, it was great.

This codebase is probably terrible, because it was mostly written by AI. I manually edited certain bits, but there are large sections of the codebase I literally haven't looked at.

Is this a problem? The app works well for me!

My point here is, I'd really hate to gatekeep software development to a small group of "licensed" engineers. In fact, I want the opposite: to empower more people to make software for themselves, so they can control their own computers instead of being at the whims of tech giants. (This is also why I dislike iOS so much.)

I do also take your point about safety, but I think we need to acknowledge that not all software is security critical and it doesn't need to be treated in the same way!

[VyseofArcadia]

> My point here is, I'd really hate to gatekeep software development to a small group of "licensed" engineers. If anything, I want the opposite--to enpower more people to make software for themselves, so they can make their computers work for them. (This is why I dislike iOS so much.)

I 100% agree. I wouldn't want to gatekeep software development in general. I would only put the PE requirement on companies that are running a service connected to the internet that collects user data.

Want to make an application that never phones home at all? Go nuts. Want to run a service that never collects any sensitive data? Sure thing! Want to run a service that needs sensitive data to function? Names, addresses, credit card info? Yeah, you're going to need a PE to sign off of that.

Side note, I was a math teacher in a previous life. Congrats on the relatively new career, and thanks for your service.

[Wowfunhappy]

> Want to make an application that never phones home at all? Go nuts. Want to run a service that never collects any sensitive data? Sure thing! Want to run a service that needs sensitive data to function? Names, addresses, credit card info? Yeah, you're going to need a PE to sign off of that.

Agreed, but I do think a tool like curl makes this a little complicated. To my knowledge, curl itself does not phone home or collect user data, but it's obviously security critical.

...or maybe it's not, now that I think about it. Curl is not end-user software. Maybe when other software uses curl, that software gets a PE sign off. But now this is starting to feel to me like another dumb compliance checkbox system. Is it?

[captn3m0]

Curl is end-user software when Debian packages it in their repository.

[VyseofArcadia]

I think end-users should always be empowered to be cavalier with their own cybersecurity. Organizations managing the data of others, however, should be held to a higher standard. If this means that an organization is using curl, they should have a PE responsible for auditing curl for security flaws.

[parliament32]

Good job.

What's the plan for when one of your vibecoded app's vulnerabilities is exploited and a stranger's penis appears in front of your class of ten-year-olds? Is "AI did it" going to save your job / keep you off the sex offender registry?

[Wowfunhappy]

This app doesn't use the internet. I'm sure it could be used as part of some complex exploit chain, but now we're talking about a highly sophisticated attack.

[lcnPylGDnU4H9OF]

Security decisions are made in the context of a threat model. Who is going to target their bespoke application with this attack and why?

[parliament32]

For the same reason people deface vulnerable websites, hijack social media accounts, make prank calls.. just for the lulz