jasonweiserMar 13

Probably want to stop using Booklore...

https://sh.itjust.works/post/56734023

Probably want to stop using Booklore... - sh.itjust.works

Just a PSA. See this thread [https://www.reddit.com/r/selfhosted/comments/1rs275q/psa_think_hard_before_you_deploy_booklore/] Sorry to link to Reddit, but not only is the dev sloppily using using Claude to do something like 20k line PRs, but they are completely crashing out, banning people from the Discord (actually I think they wiped everything from Discord now), and accusing people forking their code of theft. It’s a bummer because the app was pretty good… thankfully Calibre-web and Kavita still exist.

Show threadlambaliciousMar 13
Quick! Someone add it to Open Slopware!
open-slopware

Free/Open Source Software tainted by LLM developers/developed by genAI boosters, along with alternatives. Fork of the repo by @gen-ai-transparency after its deletion.

Codeberg.org
Show threadnfreakMar 13
Man this list is depressing. Good to have handy though. Sad to see SearXNG and a few others on here.
Show threadAtroposMar 13
Searxng? Fuck, guess I’m just not pulling a new container.
Show threadnfreakMar 13
There is this that popped up the other day, but I haven’t looked into it at all to see if it’s vibecoded or not: github.com/fccview/degoog
GitHub - fccview/degoog: Search engine aggregator with a comprehensive plugin/extension system

Search engine aggregator with a comprehensive plugin/extension system - fccview/degoog

GitHub
Show threadPoliteDudeInTheMoodMar 15
It’s not, the second I cloned it and gave codex access it found a whole whack of privacy issues. This was 100% human coded
Show threadfccviewMar 16
degoog Dev here, definitely not vibecoded. Would you be able to tell me all these whack of privacy issues? I thought I had everything covered, but if you found something concerning it’d be nice to know before I get it out of beta :)
Show threadPoliteDudeInTheMood6d ago
  • Fixed credential-exfiltration risk in /api/proxy/image: Previously the endpoint could:
    • accept arbitrary auth_id
    • load stored API keys
    • forward them to attacker-controlled URLs
  • Enforced outbound host allowlist globally Previously:
    • allowlist existed
    • but outgoingFetch() didn’t enforce it
    • plugins/engines could bypass it
  • Fixed extension store path traversal Previously a malicious store manifest could:
    • inject … paths
    • escape install directories
    • reference arbitrary files
  • Hardened proxy IP trust Previously:
    • rate limiting trusted any X-Forwarded-For header
    • clients could spoof their IP
  • Fixed inconsistent settings authentication Previously:
    • settings UI stored an auth token
    • but the settings modal didn’t send it when saving
  • Implemented Improved proxy deployment support
    • Added proxy-aware behavior:
    • DEGOOG_PUBLIC_BASE_URL for canonical URLs
    • secure cookie handling when X-Forwarded-Proto=https

    Additional Improvements:

    • suggestion fetching hardened
    • DuckDuckGo suggestion parsing fixed
    • unified outbound request handling
    • install state guard properly cleaned up
    Show threadfccview

    Thanks, I’ll individually look into all of these ♥️ I’ll say some of them are more conscious compromises for the sake of an open scalable system where third party extensions can truly edit anything (intentionally) and everything around Auth/secure cookie is also fairly lax due to the fact the Auth is just a protection for the settings (which literally stop the settings from being served by the client), in the moment I decide to add some more structured Auth system/maybe users I’ll look into proper secure cookie handling.

    This is an awesome report, thank you so much for sharing it!!!

    Mar 16 at 3:32pmWeb