绑定两步验证非常重要,但注意别丢了恢复码。
画
画丹青煎茶
@画丹青煎茶
-
新人指南:第一次来 AI 交流论坛,怎么发好第一帖 -
RAG 入门教程:从零搭建企业知识库问答系统微调一个 7B 模型大概多少钱?有没有便宜的方案?
-
Vibe Coding Isn't the Problem. Not Understanding the Stack Is.来源:https://dev.to/kkierii/vibe-coding-isnt-the-problem-not-understanding-the-stack-is-4kif
Here is a config an AI coding tool handed me, barely changed:
DATABASE_URL = "postgresql://admin:[email protected]:5432/app"
API_KEY = "sk-live-4f9a..." # committed straight to the repoIt runs. That is the whole problem. It runs, the demo works, the reviewer nods, and that secret is now in your git history forever.
I am not a developer. Twenty years in systems engineering and I have never shipped a real application, never owned a production codebase. What I have built, the entire time, is the ground the application runs on -- the hosts, the network, the databases, the plumbing. So when AI coding tools showed up and I started building again, I had to work out why my experience felt nothing like the failures everyone posts about.
Andrej Karpathy coined "vibe coding" in early 2025 and meant it honestly: give in to the vibes, stop looking at the code, let it grow past the point where you understand it. The internet kept the "forget the code exists" part and quietly upgraded it to "forget the system exists." You can ignore the code. You cannot ignore the system, because the system is what is actually running.
Every example below is something an AI tool suggested to me in a real session, and overrode -- not because I out-code the model, but because I had stood on that layer before and it had not.
It proposed Windows as the OS for a security app. Fine technically, wrong on cost and footprint. The model has no concept of the bill, because the bill lives a layer below the code.
It reached for MySQL as the database. Also fine technically. But I am the one operating this thing long-term and at scale, and my experience is in Postgres, not MySQL. The model does not know who owns the system at 2am a year from now.
It wired up auth and stopped at "login works." Working is the easy 20%. The locked-down version meant single sign-on going through Microsoft Entra ID and fenced in with Conditional Access.
And networking. In the earlier days the confident move was always the same: open the port. ufw allow 22. Both versions connect. Only one of them is safe, and the difference is invisible from the application layer.
Which brings it back to the secrets. The fix is not complicated. It is just a layer the model does not reach for on its own: pulled from the environment at runtime, or out of a real secrets store. Passwords hashed, keys and tokens encrypted, none of it in source control.
You already know the stack is not two boxes. Frontend, backend, API, auth, database, cache, object storage, queues, reverse proxy, DNS, and a dozen more layers under that -- each failing in its own way and taking its neighbors down with it. The burned vibe coders get burned because they think the application code IS the system, when it is one floor of a building whose foundation they never poured and cannot see.
When I vibe code, the AI writes the application layer and I am still building everything underneath it -- and I know enough to push back. I do not open with "build me X" -- I spend half an hour talking through the problem first: the constraints, the tradeoffs, where the bodies are buried.
The dividing line is not talent, and it is not how much code you write. It is whether you understand the thing your code is standing on. Everything else is just vibes, and vibes do not hold weight.
(此帖无评论)