Just because it's everywhere, generative LLMs are not the solution for security software

[alsternerd]

Please always at least triple check the code at least, if you're not going to stop it coming in.
This software is security relevant and LLM generated code can open up attack vectors you may not even see while checking.
Do you really check if the code is valid, when vibe coding or just go for it?

Using LLMs for attacks against KeepassXCs code on the other hand is a good thing, because it may find stuff you won't. But using it to generate code that secures stuff has to be checked more than human written code, because the paths for attacks can be very obfuscated by LLMs. Especially if you've not being the one that trained it or even use one that trains on other peoples data, without consent.

This move of approving LLM generated code already poking holes into KeePassXCs reputation.

Something to consider could also be how much lines are even O.K. to be generated to be checkable by humans?
There's definitely a threshold where it becomes difficult to keep up with checking the code.

Yes, you may check it like all other stuff, but since LLMs can only recreate, then why use them at all?
Yes, I have worked with these for 10 line scripts. But I have my doubts with 1000 line edits, even if checked.

I just want to have the discussion, before having LLM generated code added, not after.
Context

Generative AI
Generative AI is fast becoming a first-party feature in most development environments, including GitHub itself. If the majority of a code submission is made using Generative AI (e.g., agent-based or vibe coding) then we will document that in the pull request. All code submissions go through a rigorous review process regardless of the development workflow or submitter.

[phoerious]

Duplicate of #12635.