After a long hiatus of security fixes only the development of Etherpad has recently taken up speed again. But it seems to be nearly fully vibe coded with the help of Anthropic Claude and the amount of new features added makes it very unlikely that there is sufficient human code review.
I bring this up because as you probably know we host an instance of it over at https://pads.slrpnk.net/
Aside from the general issues with AI assisted code development and corporate capture through closed AI models like Claude, I consider it also a security risk as the NodeJS ecosystem (Etherpad is using that) is especially vulnerable to supply-chain attacks and AI halluciations make this issue significantly worse.
So basically this means we will probably have to shut down this service soon (stopping to update it is not a good option due to the many security issues found in NodeJS packages all the time), and look for an alternative.
If you have any important collaborative documents on our Etherpad instance, it would be good to export them in the near future. Best would be probably to export it as Markdown, as most alternatives seem to use that syntax.
As for alternatives, suggestions are welcome, but I did look into other options before (Hedgedoc, Cryptpad etc.) and was not so convinced by them either.
Thanks for running etherpad for as long as you have - I really appreciate all the cool tools you’ve bundled together for us on this instance. Thanks also for ditching it when it turns slopware and became a security problem.
I’m a bit biased towards cryptpad but mostly because I’ve been using it as a google docs replacement and haven’t read up on any issues yet. I’ll ask around to see if there are any other good recs and let you know.
For those concerned by this turn of events, this is a list of other software that has met a similar fate.
This list seems to have a lot of false positives, or at least an unhelpfully broad definition of what is considered “slopware”.
For example curl (stylised as “cURL”) is listed on that page as being “slopware” because it has a “permissive AI policy” because the developer decided against instituting a “strict non-ai policy” that dictated what development tools submitters could use..
The developer of curl (Daniel Steinberg) is generally speaking one of the most anti-AI-OSS voices on Mastodon, and has banned AI-submitted code and bug reports to curl. He has given talks including keynotes at conferences about AI slop. News articles have been written about his stance against AI:
- cURL’s Daniel Stenberg: AI slop is DDoSing open source
- Overrun with AI slop, cURL scraps bug bounties to ensure “intact mental health”
If a project with a well-publicised anti-slop stance and an explicit no-AI policy is considered “slopware”, the list seems questionable.
I agree that some of these are not really a concern. I didn’t write the list.
It’s only “false positives” if you take the list as gospel truth. Since they cite their sources, people can and should judge for themselves whether the sources meet their personal standards.
Because of this, it’s far better that they cast their net wide and let people greenlight elements from the list if they want than that they try to impose their own personal definition of AI slop by excluding anything from the list that they personally think is okay.
But yeah, it would be nice if they included evidence of good behavior too, both for the alternatives they suggest (so they aren’t incentivizing devs to keep quiet) and for the problematic ones to clarify their stance.
Yeah quite sad to see.
But if there are only minor AI code contributions that can be still reviewed well it isn’t that big of a deal from a security perspective.
HedgeDoc seems like more of a replacement for Etherpad, with Cryptpad being “overkill” in terms of features, but I’d also be interested to know if there are other options available…
The problem with HedgeDoc seems mostly that the current 1.x version is basically abandoned, and the 2.x rewrite is stuck in development hell. Other than that, yes it would be a suitable replacement.
I’m not familiar with the development situation there, but that’s unfortunate. Maybe some of our talented solarpunks could lend their programming skills to making HedgeDoc 2.x a reality?
idk, i liked using cryptpad over etherpad on disroot but it was based on me hoping to convert some friends using google docs rather than actual serious use.
@poVoq
Use Cryptpad
