The #KeepassXC discussion about GenAI coding tool use seems a bit too simplistic at the moment.
There is room for nuance:
1. Yes, LLM based code generators consume insane amounts of electricity and generate collateral environment damage. That's bad, and we should talk much more about energy efficiency and reasonable use of resources.
2. Yes, LLMs generate a lot of bad output that should never ever be used without cross-checking for any purpose that needs to work on facts instead of convincing fiction.
3. No, using LLMs for coding work does not automatically mean all the resulting code (at the end of a multi-stage process) is bad or insecure. If the generated code is manually verified by human experts, that is not much different from code contributed by junior developers in such a domain. They also make mistakes and might not have the right mental model when writing code. That's why production code - especially with security impact - *strictly requires* code review by senior developers. I still trust Team KeePassXC (npub16s6…2ny3) developers to do that based on their track record.
4. I have used LLMs for quicker coding myself, but so far only as autocomplete++ when I know the program structure I want to achieve and get some help for language syntax and standard libraries that I am not completely familiar with (hello to Rust...). However, I always review every single line of autocompleted code, and often correct/change it.
5. With some of the recent research and industry practice I have seen, specific aspects of programming might actually be candidates for benefitting from LLMs as a tool because those tasks fall into the one niche problem category for which I believe these tools to help *and* where they can be used with limited risk: a) the problem domain actually being textual languages; b) with a huge potential solution space; c) coupled with the possibility for automated verification of the solution quality. LLMs can be used to generate solution *candidates* (potential source code) which are then rigorously checked (automatically through strongly-typed compilers, fuzzing, extensive unit and integration tests, etc., and manually through code reviews).
6. It seems to become realistic to use much smaller, locally hosted LLMs instead of huge, cloud hosted ones. Yes, the quality difference is significant at the moment. No, that does not have to stay that way.
While I personally remain quite skeptical about the benefits/risk balance of LLMs for many of the use cases they are currently applied to, I am going to watch this particular one very closely in the near future.
René Mayrhofer :verified: 🇺🇦
npub1sa…e3hha
2025-11-08 23:25:44 UTC
Author Public Key
npub1sarnu5yyxchvqwaxqvhu987xpyeklgnq2gy4dz5200v9qz9gje8ske3hhaSeen on
wss://relay.momostr.pinkPublished at
2025-11-08 23:25:44 UTCEvent JSON
{
"id": "4b3b2c23d5ecef2c11abd39631698abb73fef9a225701e07f0aff0a1536f2155",
"pubkey": "87473e5084362ec03ba6032fc29fc609336fa2605209568a8a7bd85008a8964f",
"created_at": 1762644344,
"kind": 1,
"tags": [
[
"proxy",
"https://infosec.exchange/@rene_mobile/115516659730579667",
"web"
],
[
"p",
"d434a62f226f522f6ec00149394208e41ecc47f4d15325be31f05a6589b73a99"
],
[
"t",
"keepassxc"
],
[
"proxy",
"https://infosec.exchange/users/rene_mobile/statuses/115516659730579667",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://infosec.exchange/users/rene_mobile/statuses/115516659730579667",
"pink.momostr"
],
[
"-"
]
],
"content": "The #KeepassXC discussion about GenAI coding tool use seems a bit too simplistic at the moment. \n\nThere is room for nuance:\n\n1. Yes, LLM based code generators consume insane amounts of electricity and generate collateral environment damage. That's bad, and we should talk much more about energy efficiency and reasonable use of resources.\n\n2. Yes, LLMs generate a lot of bad output that should never ever be used without cross-checking for any purpose that needs to work on facts instead of convincing fiction.\n\n3. No, using LLMs for coding work does not automatically mean all the resulting code (at the end of a multi-stage process) is bad or insecure. If the generated code is manually verified by human experts, that is not much different from code contributed by junior developers in such a domain. They also make mistakes and might not have the right mental model when writing code. That's why production code - especially with security impact - *strictly requires* code review by senior developers. I still trust nostr:npub16s62vtezdafz7mkqq9ynjssgus0vc3l569fjt0337pdxtzdh82vs7j2ny3 developers to do that based on their track record.\n\n4. I have used LLMs for quicker coding myself, but so far only as autocomplete++ when I know the program structure I want to achieve and get some help for language syntax and standard libraries that I am not completely familiar with (hello to Rust...). However, I always review every single line of autocompleted code, and often correct/change it.\n\n5. With some of the recent research and industry practice I have seen, specific aspects of programming might actually be candidates for benefitting from LLMs as a tool because those tasks fall into the one niche problem category for which I believe these tools to help *and* where they can be used with limited risk: a) the problem domain actually being textual languages; b) with a huge potential solution space; c) coupled with the possibility for automated verification of the solution quality. LLMs can be used to generate solution *candidates* (potential source code) which are then rigorously checked (automatically through strongly-typed compilers, fuzzing, extensive unit and integration tests, etc., and manually through code reviews).\n\n6. It seems to become realistic to use much smaller, locally hosted LLMs instead of huge, cloud hosted ones. Yes, the quality difference is significant at the moment. No, that does not have to stay that way.\n\nWhile I personally remain quite skeptical about the benefits/risk balance of LLMs for many of the use cases they are currently applied to, I am going to watch this particular one very closely in the near future.",
"sig": "48aafe33dac5df925d7a30aede72a0cf058e76325e511c94f80953e6335ec501b8d3510313a9d4a88e55dc2ece9fe06dc7ecb77d72da3c8c853d7210548ce2e8"
}