Episode 157
· 15:05
Welcome to No Compromises. A peek into the mind of two old web devs who have seen some things. This is Joel.
And this is Aaron.
You know what? I'm not even sure if this is going to offend anyone, and I'm fine with that.
Okay.
But if you're in 2026 and you're FTPing in your code, not using version control on your web projects, you're wrong.
And that's just wrong, you shouldn't do that. Especially on your production stuff. Just don't FTP your stuff, use version control, deploy it.
No argument, Joel. You know better.
No, I just want to clarify. You're not saying FTP has no role in anything.
You're just saying like, do not use it as a deployment mechanism for a production web app?
Correct.
Okay. All right, yeah.
We have all the tools available for the last 15 years to do deployments properly.
Yeah.
You can have them paid, you can have them free. There's no reason to be FTPing code onto your production server.
You shouldn't have those credentials freely available to you, this should all be a thing that happens. I get it. "Oh, there's a lot of challenges.
A unique reason for our stuff." Nope, figure it out. Okay, so that's where I stand, right? You shouldn't be FTPing stuff to your production code.
And I know a lot of people disagree with me. But you also shouldn't be running stuff like Tinker on your production server,
except for very strange, unique situations. I'd argue that you should have a console command version that's dead for those situations.
You shouldn't be on your server in production tinkering with stuff or accessing, changing stuff in a database. We know better than this, right?
I agree. And you've won me over on that Tinker one too. Like, I resisted you at first. I'm like, "Well, Aaron, what about this?
Aaron, what about that?" but you've won me over. So, yes, I am with you on both counts.
Okay. So, I'm going to stress you out maybe, or pull you one more direction and say there's another rule here that I'm seeing people do,
and you're hearing about it on Twitter, X, or whatever, and all these different things. Like, "Oh, this horrible thing happened because I did X, Y, and Z,
and I can't believe that." Well, we heard about that when people would FTP stuff to their servers in production. "Oh, I blew away something," or
"I deleted something. I didn't know, I don't have a backup." You didn't use version control and you didn't deploy your stuff properly. You're bad.
Or, you've heard people like, "Oh, I destroyed my production database," or "I dropped something," or whatever.
Well, you were on the production database editing stuff by hand. Again, you're bad. You did this to yourself, don't complain.
So then, why is it that people are running AI agents on their production servers and code, or even like the local machine,
and then complaining and be like, "Oh, it deleted something of mine." isn't that just like FTPing stuff to production?
Okay, let me clarify again. You're not talking about like a feature in an app which uses an LLM model, right?
No.
You're talking about hey, "I'm plugging in Claude Code to give it SSH access to my production server to help me debug this weird issue."?
Yes.
Okay.
And that is a very smart way of saying it. I've seen people just install Claude on their production servers as well.
Oh.
"I'm stuck, I can't figure this out." Claude, install it, authenticate, and then they start to solve their problem.
Yeah. It's in auto accept mode too, probably. Skip permissions.
What you're saying is a bad idea too. But you were even putting like a layer. You're like, "Oh, I'm working locally and I'm just giving the SSH access."
I'm saying people are using their agents on their production machines as well.
Yeah. Maybe my brain just couldn't go that far and accept that as a possibility. Because maybe I'm old and maybe we're both old, Aaron.
But, yeah, to me of the scenarios you mentioned, deploying with FTP seems the least risky. Running Tinker seems medium risky. This seems like ultra risky, right?
Like, would you categorize it that way? Because it's not even me making a mistake. It's like some non-deterministic thing making a mistake that doesn't
even understand the full context of how our app is set up and what is important data and things like that, right? I mean, it seems insane to me.
Oh, yeah. There's non deterministic and there's no responsibility.
Right, yeah.
Those two things matter. And it could mess up the next time or it could not mess up the next time because of those different
changes and the non-deterministic nature of it.
Sure.
I would agree with you that like the FTP stuff seems less dangerous, but it's just orders of magnitude of ability and speed.
Yeah.
It's really about... I used FTP as an example because everyone sort of understands that now, I hope, from many many years of us saying like don't do that.
Now it's like, "Oh, I know there's better tools out there to handle this deployment where my stuff is locked down. I don't really have, you know,
the password to my production server. I can go get it if I really need to, but I don't do that. I don't go onto it, I use deploy systems."
And so, it's the same thing with these AI agents. Like, I use it for local coding, I use it for checking my work, I do all this stuff.
But connecting it with your production data and server? I don't know, seems like FTPing.
Well, yeah. I mean, maybe I'll ask you this, but I'm just going to ramble a little bit. I'm trying to think of why would you want to do this?
So I'm thinking of a specific scenario where it was on the Mastering Laravel site where I deployed something, was all working, all the tests passed,
and then it didn't work in production. Like, it was giving a 502. Like, it was not like, "Oh, there's a little bug here," but like it broke this feature.
And I rolled it back, no big deal. But then I couldn't reproduce it locally. So something like that, I did use Claude to help me figure it out.
But I did that by feeding it error logs and talking through the problem. Like, "What am I not seeing?" Like, you know what I'm saying?
So, is it that sort of thing that you see people doing it, or is it more like admin-style tasks where they're just trying to like, "Oh, somebody can't log in.
I'm going to reset their password, and we don't have anything the UI to do it. And I never wrote an artisan command to do it,
so I'm going to just like tell Claude to do it."? What are you saying?
It's usually not that, it's the troubleshooting thing. But you basically said how you do it, which is think about from,
I'm going to give a hint to our juniors and junior programmers here, is like sometimes things just suck. Sometimes they take a little time,
and so Joel had the opportunity to use the AI locally and grab all those things, like those server logs. He could have done that on the server because that seems
faster, right? But instead, he probably copied those logs and copy and paste them into his local thing, or he copied the files down SCP, whatever you did,
to get those into your local running thing. But if you think about it, if you don't know the risks, and that's the point of why we're trying to have this podcast
episode, don't know the risks, why would you have that extra step? Seems like wasted time. Why don't I just use the AI tooling near the location of the error, right?
And so, that's where people are jumping to that logic. It's like, "Oh, I'm just going to use it to troubleshoot something."
But everyone has had this at least that I know that's used AI, which is like LLM agents, is like, "Tell me why this works?"
And it's like, "Oh, it does it because of this, I'll just change that for you." "What? No."
"I didn't say that." Yeah, okay. So, it's the perceived... Well, no, it's the real friction of, "I have to be the intermediary.
I can't just tell you go fix it." Like, I have to feed you information. And then I just want to talk about something else.
Because I remember in this particular instance we were hitting some dead ends. Like, why is this happening? Why is this happening?
And it was giving me commands to run on the server, and it was like dmesg -x-, and like I kind of know what that was supposed to do,
but even that I would not run it until I looked up the man docs for a dmesg. And like what do these command pipes do? Because I don't know.
Maybe dash x deletes something. So, for something like that I assume that's an approach you would take too. Though even if you're the intermediary
you still have to exercise some control and not just like, "Oh, here's the command you want me to paste in and run on my production server."
Like, unless you know exactly what it's doing, that's not safe either.
Correct. I would say what you did is the right thing.
And I will then be practical and tell you what you can do because people aren't going to do what you just said.
Okay.
Instead, when you see that message... I mean, when you see a thing you don't know or reasonably don't know, you should look it up yourself and understand it.
Yeah.
When you cannot ask the model then, again, "Tell me specifically, step by step, what this command does for each line and element."
It still may not be right because we know that there's some things there. But more often than not, now that'll give you a hint that
maybe it isn't what it's doing. Because it'll say like, "Oh, I'm going to do the dmesg thing and then dash X deletes the traces that I was there,"
and blah blah blah. And you could be like, "Wait a second, deletes the what? What?" Like, again, you might not know the answer, but it kind of gave you a hint.
Or, I've also had other times when I've talked with a model and, you know, it did a thing. And I just asked like, "Hey, why did you suggest doing that?"
And it'll reread it, be like, "Oh, I shouldn't have, I'll do this instead," and fixes it. So that's another thing. Is, like, yes, you should look those up.
You absolutely should. But the next step, which you're probably actually going to do, is at least ask it. Ask, "what does this do?"
And don't trust when it told you what it did the first time, ask it to confirm because the first message is part of a potential hallucination.
You're right, yeah. I was even feeling a little hesitation when you said ask the model to explain.
I'm like, "I wonder if I would just ask something different." Like, if let's say I'm using Claude Code, open up like a ChatGPT window and be like,
"Hey, what does this do?" Is that being too paranoid to have like a different, either different model or even a different conversation,
like different context analyzed?
Yeah. I mean, by that time you're getting closer and closer to just googling it. I mean...
Yeah. Or, just going to the docs, which isn't that hard. But I get your point that people aren't going to do it.
I have messed. I have thought about that, like running a different model. But if you watch all the different...
and I don't want to get into this too much, this is not an AI podcast. But if you watch what's going on, like a lot of them are converging anyway.
So you're not necessarily getting different answers from different models.
Yeah, you're absolutely right, Aaron. Okay.
You're right to push back on me.
You're right. I want to throw one other thing out. This didn't happen to me this time, but it has happened to me in the past.
Where you're that go-between, and it's giving you commands to run. And all of a sudden it gives you this like four-part command, you know,
that's got like double ampersands, double or signs, and then like that's all grept and like piped into a Python one-liner.
And what it's trying to do is save you from having to run like seven commands, But those I will just flat out reject.
Because even if I understand all the piece parts, if I'm going to go look those up one by one and understand it, I don't trust my brain to think through.
Because there's logic in there now. Like, I don't trust how they're all going to connect together, and what the failure modes could be.
Like, you've seen that too, right?
Yeah, depending on your shell.
Sure.
Like, using Zsh a lot I run into that is because a lot of the training documentation for forever was based off Bash.
Yeah.
So, when it tries to run stuff, it runs it the Bash way. And sometimes those things don't necessarily work exactly the same way with Zsh, or with Oh My Zsh,
if I have that running and something like that. So, when you have those commands that are combined a lot of times they have some sort of escape character
and things like that too. So it becomes really hard to determine what even broke in there when, let's just say, you think you even understood it, took it,
pasted it in and it doesn't work. It's like, "Well, why?" I've seen that at least with my stuff when I let the agent go wild.
Is like, it'll run something be like, "Oh, it doesn't work like that on Zsh. I need to do this and this and this."
It's like yeah, that would have been much worse if I ran that the first time I wouldn't know why.
Right, yeah. So, all of this kind of boils down, the underlying theme, is a little bit of friction to do this safer.
But man, you're saving yourself from some trouble. And kind of the same thing with the Tinker.
Like, "Ah, it'd be so much easier just run this Tinker thing in production." But like, "Well, until it's not."
Mm-hmm (affirmative).
Aaron, you know how much I care about user experience and design, and like just getting all those details right?
I've laughed because you're like, "Why did you put this padding on that button?"
Yes.
But I do care to a certain degree. So, anyways, out in the world as I'm using software people have written,
I really question why certain decisions were made. And especially when it affects me negatively.
So, I'm not going to go into specifics. But I was in, let's just say kind of a heated/touchy friend group chat,
and I went to react to it with thumbs up because I didn't want to continue the conversation, but I wanted to express approval.
And you know what's right next to thumbs up? Is thumbs down. And I accidentally hit thumbs down, and it just like reignited things.
And you see, you can remove the reaction, but I didn't get to it fast enough. And then it was this whole thing.
It's like, is it a little weird to you that thumbs up and thumbs down are like literally right next to each other in that reaction pop-up? This is iOS.
Yeah, I guess. But it's a little bit like... I mean, I hear what you're saying and I want to be there with you.
Is it my sausage fingers? Are you-
No, no. But it just... it's tripping that one thing in my brain. It's like, "Well, I did this thing and it didn't work, so I just... I'm mad at that thing."
It's like you probably saw that it hit thumbs down when you hit thumbs down, or were you in such a hurry that you had to hit thumbs down and you're like,
"F, what's on the screen, I'm not even going to look at it."? You probably saw it, but you decided not to. So, I really want to laugh with you, Joel.
I want to make fun of this, but what? What? Come on, come on! You're better than this.
Or maybe I just need glasses.
Or thinner fingers.
AI agents can do whatever they want, and they're pretty efficient. But they have no responsibility, they have no ethics, they have no connection to that code.
If you need someone who actually cares about your project and is responsible, maybe we can help.
Head over to nocompromises.io and see how you can work with Aaron and I.
Listen to No Compromises using one of many popular podcasting apps or directories.