Thursday, July 03, 2025

VS Code Commit Message Generation Prompt

In a conversation with Jigar Gosar today we were talking about how VS Code does a decent job of generating git commit messages in the Source Control Sidebar and how he was trying to come up with his own prompt to do it directly from the Copilot chat window.

Since VSCode is open-source and GenAI is great for understanding open-source code, I immediately thought of looking for the prompt used by it. I first went to the VS Code repo and asked Copilot to find the relevant code. Copilot said it couldn't find anything related to AI-generated commit messages and instead asked me to look at integrations with GitHub Copilot. Since the VS Code Copilot Chat was also open-sourced a few days ago, I went to it's repo and again asked Copilot to search and it quickly pointed me to the right place to look for it. 

So here is a snippet of the prompt used to generating the commit message in VS Code: 

You are an AI programming assistant, helping a software developer to come with the best git commit message for their code changes.
You excel in interpreting the purpose behind code changes to craft succinct, clear commit messages that adhere to the repository's guidelines


# First, think step-by-step:
1. Analyze the CODE CHANGES thoroughly to understand what's been modified.
2. Use the ORIGINAL CODE to understand the context of the CODE CHANGES. Use the line numbers to map the CODE CHANGES to the ORIGINAL CODE.
3. Identify the purpose of the changes to answer the *why* for the commit messages, also considering the optionally provided RECENT USER COMMITS.
4. Review the provided RECENT REPOSITORY COMMITS to identify established commit message conventions. Focus on the format and style, ignoring commit-specific details like refs, tags, and authors.
5. Generate a thoughtful and succinct commit message for the given CODE CHANGES. It MUST follow the the established writing conventions.
6. Remove any meta information like issue references, tags, or author names from the commit message. The developer will add them.
7. Now only show your message, wrapped with a single markdown ```text codeblock! Do not provide any explanations or details

Further:

Now generate a commit messages that describe the CODE CHANGES.
DO NOT COPY commits from RECENT COMMITS, but it as reference for the commit style.
ONLY return a single markdown code block, NO OTHER PROSE!


You can find this in the following file:

src/extension/prompts/node/git/gitCommitMessagePrompt.tsx


A quick scan of the code also shows that you can provide your own custom instructions for generating the commit message.


GenAI can make a big difference in understanding and working with legacy code and contributing to open-source.

Monday, June 23, 2025

The GenAI Software Development Spectrum

In my usage and conversations with other "builders", here is the spectrum of GenAI usage I've come across.  

L1. Ask/Consult - AI as a Knowledge Resource


Use AI as a replacement for reading manuals or documentation, and using Google or Stack Overflow
  • Manual/Documentation Lookup
  • Explain/Understand Code
  • Ask about Best Practices and Options

L2. Augment - AI as a Pair Programmer


Work together with the AI in small iterative increments where you bounce off ideas and take turns where you do some of the work and the AI does some of the work.
  • Auto Complete
  • Debugging
  • Refactoring
  • Code Quality Review
  • Optimisation and Performance Review
  • Security Review

L3. Delegate - AI as a Junior Programmer

After some planning and discussion with the AI, give it tasks and have it write the code that you review before accepting the pull request. 
  • Specs, Requirements, Plan with Tasks
  • Assign Tasks to AI to writes code
  • Review pull request for the code written by AI

L4. Outsource - AI as an Outsourced Freelancer or Agency

You only care about the outward functionality of the software and you outsource the engineering/development to the AI.
  • Come up with the Spec and Requirements
  • Tell the AI to come with a plan and tasks
  • Ask the AI to "build" the software.
  • Test the functionality of the software as a user

Questions for the Reader

  1. How do you use GenAI?
  2. Do you have a different model for thinking about this?
  3. Have you come across other ways of GenAI usage in software development?

Saturday, June 21, 2025

GenAI is great for Understanding Legacy Code and Open Source Contribution

While GenAI can be a high speed legacy code water hose, that can be used to create tons of legacy code instantly, it's also a great tool for understanding legacy codebases and orienting yourself.  It can also be used to build ephemeral test scaffolding to get a safety net before making changes to the legacy code. 

This, IMO, is not just great for managing legacy code, it's also great for open source software. You can use GenAI to quickly understand the codebase "just enough" to make the contributions you want to make.

Friday, June 20, 2025

The GenAI Product Management Traps

Feature Factory / Kitchen Sink

GenAI greatly reduces the barrier to directly and quickly build features which makes it very easy to act as a feature factory and build a kitchen sink of a product. One that is not true to a design or have an opinionated view.

  • When implementation is cheap, it's easy to end up in a mess.
  • When you try to make everyone happy, you end up not making anyone happy.


Big Design Upfront / Waterfall Software Development

In an attempt to prevent GenAI from making mistakes there is a focus on front loading effort in the specs and requirements. 

  • We need to iterate and have to discover what we are building
  • Action precedes clarity
  • Account for emergence

All these issues boil down to the question of Are We Building the Right Product?


Wednesday, June 18, 2025

GenAI Multi-Pass

Given the non-deterministic nature of GenAI and a near future where software development might not involve opening an IDE to write software, one way to catch issues might be to take a multi-pass approach where each pass is specialised for a specific purpose, so as to not overload the LLM with too many things to take care of at one time. Some of these multi-passes could be:

  • Coding Pass
  • Code Quality Pass
  • Security Pass
  • Performance Pass
Each of these passes could result in improvements tasks and this could be an iterative process till a certain threshold is met.


Tuesday, June 17, 2025

The Excitement and Frustration of using GenAI for Software Developement

Exciting

  • The possibilities that GenAI enables makes software development truly exciting again.

Addictive

  • It's so easy to convert ideas to working software, it can be very addictive and you can quickly loose any sense of time. 
  • It keeps you from wasting time, being unproductive or procrastinating

Frustrating

  • The non-deterministic nature of GenAI can make it very frustrating.

Time Sink

  • It's very easy to get sucked into long conversations, and issues specific to GenAI, than spending time actually building.

Sunday, June 15, 2025

My Criteria for when to use Vibe Coding

 Here is my personal criteria for when it's appropriate to Vibe Code

  1. Internal Use / Personal Software
  2. One-off throwaway tools/scripts/code
  3. Experiments
  4. Prototypes

Sunday, December 13, 2020

The Hyderabadi Biryani Problem

 Everyone says Hyderabadi Biryani is amazing but if you say you didn't like the Hyderabadi Biryani you tried, they will ask you which restaurant you tried it at and then the inevitable answer will be "Oh, that one isn't good, you should try it at XYZ Biryani House" and so on till infinity. There is ALWAYS a restaurant where the biryani is better than the one you didn't like.


Saturday, October 03, 2020

Stumbled upon another security hole at a well know Indian company's website that is leaking their customer's sensitive personal information

 I've stumbled upon another security hole at a well know Indian company's website that is leaking their customer's sensitive information.

Just like the Myntra security hole that I found a long time ago (which resulted in them setting up their Responsible Disclosure Policy), this hole too is just something I stumbled upon while using their website regularly. I didn't have to do anything special that a regular user wouldn't do and there is no "hack" involved. It simply seems to be a case of bad implementation or a bug that anyone with a decent technical background can easily recognize and take advantage of.

My Myntra report was in Dec 2013 and in the 7 years since, nothing much has changed with Indian companies taking security seriously or even setting up a basic responsible disclosure policy 😔.

For now I've sent an email to security@ their website address which thankfully didn't bounce and I've also messaged them on a few of their social accounts. Will wait for them to respond and give them time to fix it before publishing more details.

Update (Oct 5, 2020): emails to security@ their website bounced after 24 hrs 😔

Pic source: https://www.needpix.com/photo/download/929205/key-hole-eye-by-looking-spy-spying-on-watch-burglary-burglar-privacy-policy


Tuesday, September 24, 2019

Skinners are my new favorite minimalist footwear


8 years (March 2011) and 5 pairs (2 Classics, 1 Sprint, 1 KSO and 1 KSO EVO) of Vibram Five Fingers (VFF), 5 years (August 2014) and 4 pairs (1 Sensori Venture, 1 Amuri Venture, 1 Amuri Cloud, 1 Amuri Z-Trek) of Xero Shoes, and 2 years and 2 pairs for Skinners later, Skinners are my new favorite minimalist footwear. Here's why.


Skinners on a trek passing through streams, slippery and sharp rocks, pebbles, gravel and the works.


Even though I got my first pair of Skinners back in July 2017 (I was one of the original backers of their Kickstarter back in June 2017) I didn't use them much primarily because, as a long time VFF user, my toes felt very constrained in them (like in a regular shoe). I ended up using it as a backup shoe (in case the VFFs and Xeros give up on me, which they have) for my travels because it's super compact and easy to pack. So they were stored away ready to be used in case of emergencies, which basically meant I didn't use them much.

A couple of months ago, when the nylon lace on my Xero Venture tore during a trek, I had to use my Skinners and really loved it. The trek was during the rains, with slippery and sharp rocks, pebbles, gravel and the works, and I really loved how Skinners felt. Having tried that same trek earlier, completely barefoot (only for a short distance and ended up with bruises on my feet), I really appreciated the minimal yet right amount of protection the Skinners provided. I was hooked.

I needed the same feel as Skinners and started looking around again to see if I could find alternatives that wouldn't constrain my toes and stumbled upon suggestions to try Skinners one-size bigger than your normal shoe size (especially if you have wide feet, which mine are and have become even more wider after I gave up on regular footwear). So I decided to give it a shot and ordered another pair of Skinners, this time, one-size bigger than my normal shoe size.

Having used them through most of the monsoon season here in Mumbai and for a variety of purposes including trekking, I can now say Skinner are my new favorite minimalist footwear.

While the reasons why you would like one over the other will be different for everyone, here are my reasons for why I prefer them over VFFs and Xeros:

  • Skinners have the most minimalist sole of the lot offering more connection and feedback from the ground.
  • I prefer minimalist footwear that cover my feet because it keeps my feet clean which is important to me because otherwise they get dry and crack when exposed to dust and the elements. Both VFFs and Skinners satisfy this criteria. When it comes to small puddles, I think Skinners do a better job as the water-resistant sole wraps around till the top and offers more protection (I used to get water seeping in on the VFFs where the sole meets the upper).

The wrap around water-resistant sole is perfect for small puddles.

  • Wraparound footwear also feels more minimal to me in the sense that I can use my feet naturally without having multiple elements of  the footwear get in the way like they do with the Xeros (had a few close calls while driving because the soles would get in the way and get stuck sometimes on pedal or mat).
  • Except for my first few pair of Vibram Five Fingers (Classic, Sprint and the orignal KSO) each of which lasted me over 4 years, my experience with the newer VFFs (especially the KSO EVO) hasn't been very good when it comes to durability. I've had a similar experience with Xeros. Since Skinners don't have glues or seams it looks like they'll last longer as there are no parts that can fall apart. The sole can still get worn out and the upper can possibly tear but I'll have to see how they hold up.

The hole that the lace goes through, torn on my first Xero.


  • Skinner are super compact and easy to carry along while traveling as a second shoe for emergencies, multi-sport (to slip into after bouldering or skateboarding) or the gym.
  • Skinners are the easiest to get into and out of.

A note about repairability: This is important to me because I would rather pay a premium for a pair that lasts me a long time than pay less and have to change my shoes very often resulting in more waste at the landfill. The one thing the Xeros have going for them is that you can easily repair them at least when it comes to the laces. With the VFFs I couldn't find anyone in Mumbai to glue the soles properly when they come off and have lost 3 of them to bad repair work (glue that made them very stiff and painful to wear). Hopefully the glue-less and seamless design of Skinners means they might last longer.

Replacing the torn lace with a paracord I picked up from Amazon.
Good as new!

I recently also got the Vivobarefoot Primus Lite II BIO to try out (so your can look forward to a review of those) but I don't see myself wearing them for a while till I wear out the Skinners.

A word of caution: I wouldn't recommend Skinners as your daily-everything shoe if you're just starting out transitioning to minimalist shoes and would suggest easing into them slowly.

Friday, November 25, 2016

Native apps can't be trusted

The one thing the web has gotten right to some extent (thanks to the beauty of REST/HTTP) at least compared to desktop and native apps, is how it can uniformly show users if they are using a secure connection to a trusted source. The browser does this by clearly and consistently giving various hints (see Fig 1 and Fig 2 below):

Fig 1. Firefox indicating that you are securely connected to GitHub.

Fig 2. Chrome indicating that you are securely connected to GitHub.

There is no reliable, trustworthy and consistent way for non-technical users to do this on desktop and native apps.

This is how you add funds to your Paytm wallet from within the Uber app (see Fig 3 below):

Fig 3. Page to add funds to your Paytm wallet from within the Uber app.


Notice the following in Fig 3:
  1. Since I opened this from within the Uber app and this "page" is running "inside" the Uber app, I have no way to verify if what I'm seeing is in fact a page severed by Paytm or a spoofed page that Uber is presenting to me.
  2. Even if I were to trust Uber here, there is no way for me to tell if this is happening over a secure connection.
  3. Say I'm willing to accept that this is in fact a page served securely by Paytm, I have no way to know if Uber has injected their own code to intercept everything I enter on that page.
  4. And now the really ridiculous bits (circled in red in Fig 3 above): The text that reads "Your payment details are secured via 128 Bit encryption by Verisign" and the various logos that are displayed at the bottom of the page are something I have to take at face value. These are also app-specific and not consistent.
Also, note that I (as a non-technical end-user) have no way of knowing if all communication the Uber app is doing with it's servers is over a secure channel. I just have to "trust" that they are doing the right thing. Of course, as a technical user I could intercept the traffic on my phone and see how it's been sent, but that is exactly the point: You have to jump through a lot of hoops to "verify" what is happening.   

The current state of affairs for security on native apps is absolutely ridiculous and it's crazy that we all put up with it.

Full Disclosure: I work at Zeta (at the time of writing this blog post), but the views expressed here are my own and not of my employer.

What native apps get wrong over web apps

  1. They need to be installed. This in itself is a big drawback.
  2. They need to be separately developed for each target platform. Unlike the desktop app days where Windows was almost ubiquitous, with mobile you have to support 2 platforms.
  3. They can get outdated if users don't upgrade. We are doomed to repeat the same mistakes we made with desktop apps.
  4. Deployment is blocked on a black box not in your control (aka the app store approval process). Kiss continuous deployment goodbye.
  5. They have no trustworthy way to indicate to users that secure channels are being used to communicate secure information (unlike the address bar in web apps that clearly shows if the connection is secure and to the right place). If you think about it, there is a beauty to REST/HTTP that makes this possible.
  6. Each app needs to reinvent the wheel and ship infra that could have been shared, e.g., local data store, caching, etc.

Saturday, December 07, 2013

Security breach at Myntra.com exposes customer's personal information, order history and more

Update (added on 3 Dec 2013): Based on my feedback Myntra.com has now setup [email protected] for reporting security issues and a Responsible Disclosure Policy page. Kudos to them for taking the first step towards a better responsible disclosure process and setting an example for other Indian companies.

Last week a bug on Myntra.com let anyone with an account take over random customer accounts and highlighted the lack of responsible disclosure processes among Indian companies.

On 28th November (2013), Myntra.com held a 3-hour (8-11pm) invite only Winter Sale event where a few select customers got an additional 31% off on all orders above a certain amount.

I was one of those customers and decide to login to my Myntra account to see the coupon, except I had forgotten my Myntra account password. So I went ahead and put in my email address and clicked on the forgot password link. As expected I got an email with instructions, to click on a link to set a new password. What happened next was very scary.




I clicked on the link and landed on the page on Myntra.com to set a new password but instead of my email address I saw someone else's email address pre-filled in the form. Curious to see what would happen, I went ahead and put in a new password and lo and behold, Myntra.com had let me take over another customer's account. 




To see if this was repeatable, I went through the forgot password flow again and just like before it had another random customer's email address pre-filled in the form and let me take over that customer's account.




HOLY SHIT. Myntra.com just let me take over two customer accounts. No fancy hacks, just a scary little bug that presented other Myntra customer accounts to me on a platter.

So the first thing I did was see if I could find anything on Myntra.com about responsible disclosure or a security contact but found nothing. So I sent an email to [email protected] and it promptly bounced with the message "The email account that you tried to reach is over quota".

Next I got in touch with them on Twitter and 13 hours later someone got in touch with me, 16 hours later I was speaking to a Tech Lead from Myntra.com and 9 days later I have confirmation from them that they have fixed the bug and put measures into place to ensure this doesn't happen again.

Note (added on 8 Dec 2013): The bug was fixed on the same day I reported it and the 9 days mentioned above includes time they took to monitor the fix and the Tech Lead at Myntra.com and me having issues around coordinating the final confirmation phone call.

I don't know how long this bug was live and how many customers accounts were affected but if your account was one of the affected ones, it means someone had COMPLETE access to your account, your personal details like your address and phone number, your order history, your myntra credit points, your saved payment details, your wishlist and your shopping cart.

Apart from the privacy concerns, the biggest threat that you need to protect yourself from, with a security breach like this is that it opens you up to Social Engineering Attacks where anyone with this privileged information can pretend to be from Myntra.com and use it for malicious purposes.

While a lot of people reading this will focus on Myntra, I think it's important to focus on what this incident can teach us about the lack of Responsible Disclosure processes among Indian companies.

If you run an online service (and especially an ecommerce one) you MUST have a responsible disclosure process in place. The Open Web Application Security Project (OWASP) has a good primer on managing your security issue disclosure process. At a very basic level you should atleast have a security@ email address configured. Having a dedicated page for responsible disclosure on your website is an added bonus.

Here are some examples of good responsible disclosure pages to get you started:



Lastly, I think it's important for companies to be transparent and honest about security/data breaches. Hiding details about breaches from your customers makes them vulnerable to all kinds of attacks. Security/Data breaches happen all the time. The only way customers can protect themselves is by being informed.

Sunday, June 09, 2013

Really Simple Social Blogging

A proposal to implement a decentralized Tumblr/Facebook/Twitter like social blogging platform using simple things like WebMention and Microformats. This is based on some experiments I'm doing with Converspace on sandeep.io and was inspired by The First Federated #Indieweb Comment Thread.

Based on usage, it looks like I primarily do 4 things on sandeep.io:
  1. Post original content. This could be text (both short and long form), links, photos, videos, quotes, etc. (http://www.sandeep.io/19)
  2. Repost content from others I find interesting. (http://www.sandeep.io/36)
  3. Comment on content from others. (http://www.sandeep.io/32)
  4. Like content from others. (http://www.sandeep.io/33)

Turns out this is also broadly what you do on Tumblr, Twitter and Facebook:
  • Tumblr: blog, reblog, comment and like.
  • Twitter: tweet, retweet, reply and favorite.
  • Facebook: update status, share, comment and like.

So I set out to see how this could be done in a decentralized way across the #indieweb. A couple of experiments later, I think I have a simple solution for achieving this, using nothing more than simple things like WebMention and Microformats.

The "social" part of this is letting others know that you have done one of those 4 things listed above and especially the person whose content you've reposted, liked or commented on.

This is where WebMention comes. It's a simple way to let any URL on the web know that  you've linked to it on your site. The problem however is communicating the context in which the URL was mentioned:
  • Was it just mentioned in passing along with other content?
  • Was it's content reposted?
  • Was it liked?
  • Was it linked to by someone commenting on it?

Taking a cue from the the experimental u-in-reply-to microformat, I'm using the following experimental classnames for links within h-entry:

A target URL that receives a WebMention can retrieve the source URLs HTML content and look for the above Microformat classnames to figure out the context in which it was mentioned along with an h-card/p-author entry to figure out the person involved.

The target can then show:
  • Total number of likes along with the details of the people that liked it.
  • Total number of reposts along with the details of the people that reposted it.
  • Total number of mentions along with the URLs of the sites that mentioned it.
  • Comments along with the details of the people that commented on it.
See this in action here: Indieweb Federated "Likes".

An important part that is missing from the above is letting other people easily follow you and get updates when you post something on your site. A microformats based feed reader should solve that. Following someone also gives you the opportunity to send a WebMention to the profile URL of the person you followed which in turn allows that person to show a Follower count (using u-follow maybe) along with the details of the followers. I've yet to explore this but will be posting more details when I get to it and dogfood it.


Wishlist: A microformats search engine that crawls the web looking for microformats, especially h-card so I can search for people just like I can on silo social networks.

Here are some additional experimental classnames I'm considering but not yet using:
  • u-quote to be used when you quote text from a URL verbatim.
  • u-follow to be used when you follow/subscribe to a URL (usually a person)


Todo

  • A way to undo WebMentions (e.g., unlike) by deleting the source URL and sending a WebMention for which the target would receive a 404 in turn deleting the original WebMention. 
  • I'm also hoping to extend WebMention to allow for private access to URLs to only the people that were sent a WebMention.

Updates

08 June, 2013
  • Added h-card search wishlist.
09 June, 2013
  • Added attribution to the @eschnou's indieweb comment thread that was the first instance I know of that combined something like WebMention (Pingback) and Microformats to figure out context. It went beyond the simple rel="in-reply-to" suggestion made in WebMention and read h-cards.
  • Added note about sending WebMentions to user profile URLs. (rememberd to add this thanks to this tweet by @benwerd)
  • Added note about private access. (rememberd to add this thanks to this tweet by @benwerd)
  • Added list of other experimental classnames I'm considering.
10 June 2013
  • Created the Todo section and added note about undoing WebMentions.

See Also

Friday, June 07, 2013

Extracting machine tags (aka triple tags) from a string

Here's some working code to extract machine tags (aka triple tags) from a string. Possibly one of the ugliest regular expressions I've ever written.

References

Thursday, June 06, 2013

Does polling scale better than push?

For the sake of simplicity, given 10000 subscribers, 1 publisher and assuming resource required for serving 1 pull request is roughly equal to resource required for sending 1 push:
  • A hub that is pulled from every minute has to serve number of subscribers x 1440 requests per day, i.e., 10000 subscribers x 1440 requests per day irrespective of the number of updates.
  • A hub that pushes has to send (number of subscribers x number of updates) per publisher pushes per day   i.e., 10000 subscribers x number of updates x 1 publisher pushes per day, i.e., 10000 subscribers x number of updates pushes per day.
  • So that's 10000 x 1440 for pull and 10000 x number of updates for push.
  • Therefore, if number of updates per day is greater than 1440, a hub that pushes will require more resources than ones that is pulled from. 
  • More importantly, a hub that is pulled from will not require additional resources if the number of updates per day increases.

Would love to hear what you think (in the comments) especially if you think this might not be the case.

Notes

  • This assumes that >= 1 min latency is ok for your specific use-case.
  • Resource required for serving 1 pull request might not be equal to resource required for sending 1 push. Here are my notes for why, I would love to hear yours:
    • Given constant number of subscribers and publishers, a pull based system will experience a uniform load throughout while a push based system will experience load in bursts.
    • Push potentially uses less bandwidth though Pull can take advantage of caching.
    • Push has the overhead of subscribers not being available, keeping track of such subscribers and retrying several times. 
  • Proof by induction doesn't work because with push not every subscriber is subscribed to every publisher.


See PushHubPullSub

This was inspired by my notes on Push vs Pull on the IndieWebCamp wiki.

PushHubPullSub

publishers Push updates to a Hub and updates are Pulled by Subscribers from the hub.

PuSH (PubSubHubbub) is a good way to solve the publishers and hubs problems (offloading work and polling lots of sites respectively). The idea with PushHubPullSub is to simplify subscribers by having them poll the hub.

See Does polling scale better than push?

Update: Moved the Does polling scale better than push section to a blog post of it's own.

This was inspired by my notes on Push vs Pull on the IndieWebCamp wiki.