this post was submitted on 06 Jan 2026
39 points (91.5% liked)

Selfhosted

60210 readers
962 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Detailed Rules Post

  1. Be civil.

  2. No spam.

  3. Posts are to be related to self-hosting.

  4. Don't duplicate the full text of your blog or readme if you're providing a link.

  5. Submission headline should match the article title.

  6. No trolling.

  7. Promotion posts require active participation, with an account that is at least 30 days old. F/LOSS without a paywall has exceptions, with requirements. See the rules link for details.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
ayyy@sh.itjust.works
curbstickle@anarchist.nexus
curbstickle_lw@lemmy.world
39
This Looks kinda cool, but does anyone have any experience at vetting a project like this? (github.com)
submitted 5 months ago by fleem@piefed.zeromedia.vip to c/selfhosted@lemmy.world
27 comments fedilink hide all child comments
 

Ive been looking for something to help the navidrome server do its thing, and this looks awesome, but there is one issue that was just opened and closed yesterday, it looks a little sus?

how does one go about digging through and discovering if this is malicious or not?

you are viewing a single comment's thread
view the rest of the comments
[–] i_stole_ur_taco@lemmy.ca 4 points 5 months ago (1 children)

I think the author literally released it like 2 days ago which is why there’s no issues or prs yet.

I installed it yesterday and have only fiddled around a little bit. I like that it pointed out a bunch of health issues with my Lidarr library and have been stuck on a side quest dealing with those.

If you want to explore it and see if anything seems malicious to you, I’d focus on code making requests, and review the sub-dependencies to see if any look sus. It should live entirely in your network and shouldn’t be making any external requests outside your server apart from the connections you set up (like last.fm).

[–] fleem@piefed.zeromedia.vip 17 points 5 months ago (2 children)

the reason i pumped the brakes, was an issue filed yesterday by a brand new user and closed by the owner. asking why it was sending a bunch of network requests somewhere random. then it was edited for content and the name of the issue was changed by the owner and closed.

my spidey sense pricked up? but I'm just an old stoned n00b so i wanted to hear what the old stoned wizards thought

[–] i_stole_ur_taco@lemmy.ca 6 points 5 months ago (1 children)

Ohh that’s suspicious. I’m going to kill mine for now and take a look later tonight. I’ll report back if I find anything interesting!

[–] i_stole_ur_taco@lemmy.ca 2 points 5 months ago (1 children)

Ok, so I ran the repo through an LLM to look for any suspicious requests, and it came back clean.

But it’s hella suspicious that the repo owner edited away the issue and closed it without a response.

It’s also hella suspicious that the user that reported that issue created their account yesterday.

I think I need to go the nuclear option: pop a gummy and monitor the network traffic of the container and see what it’s doing.

[–] fleem@piefed.zeromedia.vip 5 points 5 months ago (1 children)

o7 godspeed! i appreciate you your effort. the spirit of this project does sound so cool so i was a little heartbroken.

enjoy the edible!

[–] i_stole_ur_taco@lemmy.ca 1 points 5 months ago

Well that was fun! I'm confident this project isn't malicious. It's for sure coded using AI, and I think that's what triggered a smear campaign. This removed Reddit post looks like there is just a downvote brigade out to get the project because the author admitted to using AI.

The only network traffic it's made when I monitored it was local. Certainly nothing went to Asia.

I think it tries to solve a neat problem. There's so many features packed in that it's obviously vibe coded. That's probably a huge turn off for AI detractors. If you don't care about that, I think you're safe to give it a try.

[–] lena@gregtech.eu 3 points 5 months ago (1 children)
[–] fleem@piefed.zeromedia.vip 1 points 5 months ago (1 children)

Welp, that issue has "officially" been deleted, as well as a followup issue asked by another person asking about that first issue feeling fishy.

[–] hoppolito@mander.xyz 2 points 5 months ago (1 children)

While a full ‘deletion’ of such an issue is certainly unfortunate, I can kind of see how it gets to such a decision point.

You’re creating some software in the open, decide to ping some communities on reddit/lemmy and all of a sudden it seems like a disgruntled brigade is breaking down your door while you just wanted to show them the garden.

What for us looks like earnest sleuthing can feel like abuse/harassment from the other side simply due to the asymmetrical nature of the internet.

Would have probably still preferred a closed issue instead, but having a couple ‘niche-successful’ repos on github myself - I can at least certainly empathise.

[–] fleem@piefed.zeromedia.vip 1 points 5 months ago

understood! i will keep my eyes on this repo!