Vaccari's Code

Without LLM code in the dependencies

7/5/2026

Generative artificial intelligence, especially LLMs, has been the buzzword of the moment, promising to revolutionize everything from interface design to code writing. It's tempting to use these tools to accelerate development, but are we truly considering the hidden cost of this "productivity"? A veteran engineer, Joey Hess, gives us a clue by dedicating a month of work to ensure that his project, git-annex, is free of LLM-generated code in its dependencies. And what he found, my friends, is a real bucket of cold water.

The Dependency Audit Marathon

Joey Hess, known for his work on git-annex, embarked on a journey he himself describes as "holding back the tide." Over the past 30 days, he dedicated about 100 hours to auditing git-annex's dependency tree, with a clear goal: to ensure that none of them contained LLM-generated code. The question he raises is provocative: "Auditing a program's entire dependency tree, on an ongoing basis, is that what programming has become?" The answer, unfortunately, seems to be a resounding yes for those concerned with software quality and provenance.

This arduous task was not in vain. Although the time invested was colossal, Joey obtained crucial information about the quality of his dependencies. This knowledge, he states, will certainly influence his future decisions. It is, according to him, the only positive benefit of this exhaustive work. The implication is clear: blind trust in dependencies, especially in an era where AI can inject code without warning, is a recipe for disaster.

The Dark Side of "Productivity"

During his hunt for LLM code, Joey found what he called "true stinkers." And the examples are, to say the least, concerning:

  • Volatile and Inexplicable Changes: Large LLM-generated changes being reverted in the next version of a project, without any explanation or justification in the commit messages. This not only creates instability but also hinders maintenance and understanding of the code's history.
  • Giant and Incoherent Commits: One commit in particular stood out: a 1489-line message accompanying 10,000 lines of changes in a 26,000 LOC codebase. A true monster, almost impossible to review or understand, with the suspicion of having been AI-generated. This is the opposite of good commit and review practices.
  • Ignored Copyright Risks: An LLM prompt used to copy code from another project, which, by sheer luck, seems to have avoided a copyright infringement. This exposes projects to significant legal risks, something many developers might not even consider when using AI tools to "accelerate."

It's easy to fall into the temptation of using an LLM with simple prompts like "Add fourmolu config and restyled", "neat", or "format a module", and then making a commit, perhaps self-proclaiming oneself a "10xer" – a ten times more productive developer. However, Joey implores us to consider the broader impact of such actions. He mentions that a specific project lost its future collaboration due to this practice. Instant "productivity" can come at a high cost in terms of long-term trust, quality, and collaboration.

What to Do Now?

The situation is complex. Joey realizes that, at this point, he's probably trying to "hold back the tide." He notes that the Software Freedom Conservancy (SFC) "punted", and doubts that the Free Software Foundation (FSF) will do anything much different. It seems that the institutions that historically defend free software freedom and quality are struggling to deal with this new reality.

As these "dominoes fall," Joey is re-evaluating his participation in these communities. It's a worrying sign when such a dedicated contributor begins to question his role. However, he reaffirms his commitment to continuing his work and supporting his users, which demonstrates the seriousness with which he views the developer's responsibility.

The central question is: are we willing to sacrifice the clarity, maintainability, security, and even legality of our code in the name of speed? Joey Hess's work forces us to confront this question.

Why does this matter?

Joey Hess's episode with git-annex is a wake-up call. The indiscriminate inclusion of LLM-generated code, especially in dependencies, introduces a layer of opacity and risk that we cannot ignore. As developers, our responsibility goes beyond delivering functionalities; it includes the integrity and sustainability of the code we build and use. The ease of a prompt does not compensate for the complexity of an AI-generated bug or a licensing issue. We need to be vigilant and question the origin and quality of the code that enters our projects.


Sources:


📬 Enjoyed this? Subscribe to the Vaccari's Code newsletter for the next wave of software & AI trends, straight to your inbox: Subscribe here

← all posts · listen to the episode →