Copilot and similar AI coding assistants [Response Required]

Hi team,

(Please take time to read, review, and follow-up to this entire post. Feel free to schedule your own task for an upcoming sprint if you prefer. I expect it’ll take 5-15 min.)

Ticket to log time: MNG-4444.

Part 1: vote in this poll

I’d like to get a better understanding of how much our developers are using AI coding tools, whether they’re whole-repo IDE-integrated tools like GitHub Copilot and Cursor or chatbots like ChatGPT, Claude, and v0. I’d like everyone who’s currently a developer on our team to please vote in this poll. (Select all that apply. Only the total votes will be shown, not who voted for each.)

  • I use GitHub Copilot (or similar tool in my IDE) most of the time :mechanical_arm:
  • I use GitHub Copilot (or similar tool in my IDE) occasionally / on specific repos only :technologist::mechanical_arm:
  • I heavily use ChatGPT for development (or some other AI that’s not IDE-integrated) :mechanical_arm:
  • I occasionally use ChatGPT for development (or some other AI that’s not IDE-integrated) :technologist::mechanical_arm:
  • I rarely or never use AI assistants when I’m writing code :technologist:
  • AI tools/assistants make me much more productive as a developer :rocket:
  • AI tools/assistants don’t seem to be very helpful for my work :person_shrugging:
0 voters

(Note: this poll is public but meant for our team only. Please don’t vote in this poll if you are not currently part of the OpenCraft team.)

Part 2: security awareness - Copilot and similar tools

Please read this carefully. Although we continue to migrate secret management to Vault etc, we do often work on repositories that contain secrets in plain text files (.env, config.yml, .kubeconfig, secrets.auto.tfvars.json, SSH keys, etc.). It is essential that you never use IDE integrated coding assistants (Copilot, Cursor, etc.) on any repos that contain secrets like this.

Why? First, these tools necessarily send snippets of your code as a prompt to the model in order to generate completions - so the snippet that gets sent to the model to generate a potential code completion can easily include secrets. Worse, depending on your subscription level and privacy/telemetry settings, their AI model may get trained on your code, including secrets. (e.g. if you have an “Individual” GitHub Copilot subscription, your data is used for training by default!). This can allow anyone to get those secrets later, once the updated model is available to the public.

Note that using something like copilot on an open source repo like edx-platform or an MFE is totally fine, as these repos do not contain private secrets (local tutor devstack credentials are not a concern). Also, copy-pasting chunks of open source code into ChatGPT to ask it to refactor it or write tests or anything else is also not a concern, as long as you are careful about what you are pasting and make sure it never includes secrets or closed-source code.

If you have ever used one of these IDE tools on a repo containing secrets, please reach out privately to me and @gabor.

Part 3: confirm

  • I have voted in the poll, read the post carefully, and followed up as necessary
0 voters

Ticket to log time: MNG-4444.

4 Likes

Although that wasn’t explicitly mentioned, but the reasoning is that we would like to rotate any secrets that may be related to that repository. If you feel uncomfortable about sharing this with your name included, use this Google Form. The email addresses are not collected, just the responses.

2 Likes

I’m testing Copilot on VSCode, but I have it globally disabled. I just enable it on specific workspaces. Do you think it might have tainted other repos?

That sounds fine to me @paulo. That is what I’m recommending for anyone who’s trying it out - just enable it on specific repos/workspaces, but make sure those are workspaces that don’t contain any secrets or other confidential info/code.

I had it in my IDE (IntelliJ) but wasn’t impressed-- neither with it nor with Jetbrains’ native option. This was a while ago, though.

I wasn’t especially impressed with the code it produced. I also felt like waiting for it to generate suggestions was breaking flow for me. For stuff it could theoretically generate quickly (like unit tests) I found that the ergonomics weren’t great in practice, and that the code had subtle bugs that required just as much time to find and fix as it would have taken to write the code on my own. Sometimes writing comments was a little faster but it often said things that were plausible but nonsense when you thought about it.

I might try it again, but I came away pretty underwhelmed. I mostly use it to generate code examples or explanations of things I’m completely unfamiliar with. Even these often end up subtly wrong in ways it takes me a while to find. But sometimes they’re perfect for the small scope I need.

2 Likes

Yes, this is a well-known side effect of using AI coding assistants. It’s called the “copilot pause”. First, we trained these models, but now the models are training you :p

And FWIW, research findings are mixed. e.g. “Many developers say AI coding assistants make them more productive, but a recent study set forth to measure their output and found no significant gains. Use of GitHub Copilot also introduced 41% more bugs, according to the study.”

We leave it up to each developer to choose the tools that work best, so I’m not trying to influence anyone one way or the other. I just want to make sure everyone is aware of some of the security risks associated with these tools, and can mitigate that risk appropriately.

4 Likes

There are only a few use-cases where I’ve found it genuinely helpful and that’s basically where it saves some time.

  1. Generating a commit message. I often have to rewrite it entirely ,but an auto-description of all I’ve done is helpful
  2. Generating test-cases. Once again, I think the few times I tried this it generated non-functional test cases, but the boilerplate examples it made were decent enough as a starting point and probably saved me an hour or so, so not that bad.
  3. Generating boilerplate code for a new CLI. I had it generate the boilerplate code for a new cli tool that I was writing for myself and again it helped get over the initial inertia of getting it started.

I could do without these, but I had a free trial of the Jetbrains AI so figured I’d give it a shot. I am not sure I’d pay what it costs for something like this though.

3 Likes

If we train Copilot on buggy code it will end up generating buggy code :stuck_out_tongue:

Having said that I did try copilot sometimes to get the context of certain PR and at times to generate tests but I am not totally convinced to use it all the time. I feel it breaks my flow. I tried most of this on personal projects.

Buggy code is the only kind of code that exists, so that is the only kind of code you can train it on.

Someone, I can’t remember who, put it best about these tools. They can replace a missing step on a ladder, but not the whole ladder.

If you are already well versed with the technology and code, it can help bridge smaller gaps in knowledge, but if don’t even know the basics, don’t trust or use what it generates.

1 Like

Another tool I’m giving a try is EditGPT, obviously based on ChatGPT. I mostly use it to proofread emails or rewrite document sections that seem too convoluted or unclear.

1 Like