When coding agents fail to accomplish what we task them with, very often it's because the codebase has complications we failed to anticipate and communicate. It's easy to get mad at the AI, but reckoning with technical debt requires your awareness and involvement, too.
After a fabulously productive weekend with Codex CLI shipping a set of features that would have taken me two weeks, it is now past 9 AM on a weekday in San Francisco and it's struggling to add two numbers together again. What a world.
A recruiter sent me this screenshot of some kind of GitHub profile scraper. Aside from naming me as a "top 1%" JavaScript developer (which I'm not sure is a compliment or a threat…), I just couldn't get over the "active on weekends" checkmark.
Lady, on weekends I charge double. 🤌
The joy I get out of programming has slowly waned over the years, because most interesting problems are now "solved" via standard libraries, open-source dependencies, and HTTP APIs. Novel problem solving gradually gave way to "digital pipefitting" of stuff built by others.
When I work late or long hours coding something, it is expressly NOT because I enjoy it. It's because I can't stomach the thought of wasting another day of my life on this shit.
Best reason to use Codex CLI over Claude Code is the limits. I've been HAMMERING gpt-5-high for >8 hours/day all week. It's the last day of the week and I haven't hit 35% of the weekly limit.
If I'd paid the same $200/mo for Claude, I'd have been locked out by day 2.
A cruel irony of coding agents is that everyone who blew off automated testing for the past 20 years is now telling the AI to do TDD all the time.
But because LLMs were trained on decades of their shitty tests, the agents are also terrible at testing.
When working with a coding agent, a great periodic housekeeping task is to ask it to evaluate the codebase against the principles and values you've laid out in your CLAUDE/AGENTS/RULES files.
Agents frequently violate one's rules while coding, but will also spot those deviations after the fact if asked.
lol I thought Codex CLI misspelled a field, but nope: TikTok actually misspelled "publicaly_available_post_id" in their API developers.tiktok.com/doc/content-posting-api-reference-get-video-status
Have now received multiple apology emails from people who called my previous post a "hit job." First time for everything. justin.searls.co/links/2025-10-09-people-jumped-to-conclusions-about-this-rubygems-thing/
[TL;DR, Ruby Central has alleged that after he was notified that the board had voted to remove his production access to RubyGems.org, André Arko accessed the Ruby Central AWS account without authorization and proceeded to change the root password. 👇]
For context, last week I wrote a post bringing to light a number of things André Arko had said and done in the past as a way to provide some context. Context that might explain why any of the principal actors involved in the RubyGems maintainer crisis (summarized well up to that point by Emanuel Maiberg) would take such otherwise inexplicable actions and then fail to even attempt to explain them.
Today, Jean shed some light on Shopify's significant investments in Ruby and Rails open-source, and it actually paints a picture of corporate investment in open source done right. (Disclosure: I know and am friends with several people who work at Shopify on these teams, and unless they're all lying to me, they sure seem to prioritize their work based on what Ruby and Rails need, as opposed to what Shopify wants.) Jean went a step further by contrasting Shopify's approach with the perverse incentives at play when individuals or groups receive sponsorships to do open source. He also drew a pretty clear line of those incentives playing out based on how RubyGems and Bundler maintainers reacted to Shopify's feature submissions. Read the post, it's good.
But now, not an hour after reading Jean's post, Ruby Central has published a jaw-dropping tick tock of the events that precipitated their decision to revoke maintainer access. Even more bizarrely, the only reason we're learning this information at all seems to be a self-own: that by publicly dunking on Ruby Central's failure to remove André's systems access—as opposed to properly disclosing the security breach—Joel Drapper and André inadvertently compelled Ruby Central to issue a post-mortem that lays out the facts we've all been clamoring for.
Seriously, just go read it yourself.
On August 3, Ruby Central leadership became concerned there was a risk André might access and sell logs containing personally identifiable information from RubyGems.org servers. This concern was raised by André himself, who proposed it in an email:
Following these budget adjustments, Mr. Arko's consultancy, which had been receiving approximately $50,000 per year for providing the secondary on-call service, submitted a proposal offering to provide secondary on-call services at no cost in exchange for access to production HTTP access logs, containing IP addresses and other personally identifiable information (PII). The offer would have given Mr. Arko's consultancy access to that data, so that they could monetize it by analyzing access patterns and potentially sharing it with unrelated third-parties.
(The screenshot of André's email to Marty is in the post.)
So, according to Ruby Central, André was making $50k a year to fulfill a "rarely activated" role as secondary on-call, and when that budget was cut, he proposed harvesting PII and reselling it for his own profit. No mention that this might be unethical, much less in violation of RubyGems.org's privacy policy.
This led Ruby Central to go to work shoring up proper Operator Agreements and Contributor Agreements that could sufficiently defend against this kind of action. They decided to take the further step of temporarily revoking various accesses from multiple (most? all?) contributors until such protections were in place, which—as has been widely discussed—they didn't do a great job of explaining and did not even attempt to justify. Of course, now that we've seen this email and understanding that Ruby Central probably didn't want to catch a defamation suit by naming and shaming André as the reason, it certainly casts the subsequent community outrage in a different light.
Suddenly, that Shopify's leadership undertook a bizarre corporate conspiracy to withhold sponsorship dollars if Ruby Central didn't mass revoke maintainer access isn't the simplest explanation for why things might have gone down the way they did.
But wait, there's more. Joel's post identifying that André still had systems access not only represented a security incident, it connected the dots Ruby Central would need to affirmatively identify an unauthorized actor who had accessed and changed credentials on their AWS account.
On September 18th, Ruby Central notifies they're revoking André's access:
Ruby Central notifies Mr. Arko, via email, of the board's decision to remove his RubyGems.org production access, and the termination of his on-call services. During that transition, our teams remove the AWS security credentials belonging to Mr. Arko for accessing the production systems, but we fail to rotate the AWS root account password in tandem.
Not eight hours later, a mysterious stranger in San Francisco (who Ruby Central asserts is André) logs in as the root user of Ruby Central's AWS account and changes the password. Ten days later, another mysterious stranger in Tokyo (who is apparently also André) logs in as root again.
I'm no lawyer, but that timeline could implicate the Computer Fraud and Abuse Act. That'd be incredible enough on its own, were it not for the fact he may have done it again in Tokyo—meaning he might have exposed himself to Japan's own statutes governing unauthorized computer access.
I'm not here to gloat, I'm here to plead with People On The Internet who rushed to judgment against Ruby Central or in defense of André to learn from this situation. The next time a story hits that rhymes with the basic outline of your prior convictions or political beliefs, pause and weigh the evidence before grabbing the nearest pitchfork and joining the mob. Sometimes that means—and I realize this is hard for some of us—not posting anything at all.
That said, I am formally accepting apologies from anyone who dismissed my previous post as "hearsay" or a "hit job" on Reddit, Hacker News, Bluesky, and Mastodon. (The X folks were mostly into it, a fact which brings me no joy.)
Reading this, I feel good about not jumping to conclusions about the RubyGems situation. The narrative that Shopify is the bad guy was quick to spread, but evidence never followed. And the most compelling facts are still not public. byroot.github.io/opensource/ruby/2025/10/09/dear-rubyists.html
Who the hell called it a Strategic Advisory Firm and not a SWOT Team?
This post is both correct and irrelevant. If you get paid to write "good enough" code, agents are already faster—so it's rational for employers to expect you use them. I get 3x more done with agents, but the experience is so frustrating I hate coding now hojberg.xyz/the-programmer-identity-crisis/
Any Fastmail users have advice on managing spam? I've always heard that its spam filter is "nearly as good as Gmail", but in practice I get ~10-15 cold-call B2B drip campaign emails get through me today, even though I always banish them to the Junk folder to train it.
Coding agents have really improved my self esteem. It used to be that I'd get mad at myself when I couldn't get my code to work. Now I get mad at the computer when it can't get my code to work.
Jared Norman interviewed me after he wrote about the order in which programmers choose to write their code and I offered this response. In this episode, we touch on this before launching into a more expansive discussion on why the agile movement fizzled out and what we can reclaim from a developer workflow perspective now that we're experiencing our first major market upheaval since then with the rise of coding agents.
Appearing on: Dead Code
Published on: 2025-09-09
Original URL: https://shows.acast.com/dead-code/episodes/fear-driven-everything-with-justin-searls
Comments? Questions? Suggestion of a podcast I should guest on? podcast@searls.co
TIL the macOS Terminal app has a shortcut to open URLs. Mouse over the URL and hold command + double-click.
Been there for over 20 years. Damn.
Got a few more Sora invites. Email me justin at searls dot co if you want one and tell me what you'd make with it.
TFW your friend accidentally jailbreaks Sora to reveal your human verification recording blog.davemo.com/posts/2025-10-03-sora-bugs.html
