this post was submitted on 17 Apr 2026
-1 points (33.3% liked)

Privacy

9793 readers
536 users here now

A community for Lemmy users interested in privacy

Rules:

  1. Be civil
  2. No spam posting
  3. Keep posts on-topic
  4. No trolling

founded 2 years ago
MODERATORS
iopq@lemmy.world
-1
PeerBox, the first fully P2P secure email system (novafuture.org)
submitted 3 weeks ago by NovaFuture@lemmy.world to c/privacy@lemmy.world
6 comments fedilink hide all child comments
 

NovaFuture is proud to announce the official release of PeerBox! A 100% P2P messaging system for Linux, fully open source. Runs on SSH over Tor for maximum security. No account required, no spam possible. Please share the word.

you are viewing a single comment's thread
view the rest of the comments
[–] ken@discuss.tchncs.de 0 points 3 weeks ago* (last edited 3 weeks ago) (5 children)

Is this vibecoded or is there thinking behind why it will silently reuse existing user SSH keys by default? For an app like this I would expect it to exclusively use its own keys. Same for PGP.

I also find the ways dependencies are handled a bit unorthodox and surprising (possibly system-breaking even). For a python project it would make more sense with a lockfile and using a package manager for dependencies installed remotely via pip.

https://codeberg.org/NovaFuture/Peerbox/src/commit/60ed3b638d6dc6c82322f73a9ce1c3e44ecec5d2/conf/config.py#L148-L197

https://codeberg.org/NovaFuture/Peerbox/src/commit/60ed3b638d6dc6c82322f73a9ce1c3e44ecec5d2/system/mount/src/onion_client.py#L345

I also wonder why it bundles minified js for Quill editor v1.3.7 (from 2019) when unminified version would be easier to audit and maintain, and v2.0.3 was released in 2024?

[–] NovaFuture@lemmy.world -4 points 3 weeks ago (4 children)

Thanks for the detailed review, really appreciate it — this is exactly the kind of feedback the project needed before a public release.

You were right on two of the three points, and I've just pushed fixes to Codeberg (commit 93b8985):

GPG: you nailed it. config.py was silently reusing the user's personal ~/.gnupg keyring if a key was present, which is obviously wrong for an identity-isolated app. Fixed: PeerBox now uses a dedicated keyring at system/gpg/ with --homedir enforced on every gpg call. Existing users get their key auto-migrated on next config.py run so contacts don't break.

Dependencies: install_pysocks() was calling pip install --break-system-packages at runtime, which is indefensible. Removed entirely — it was actually dead code (never called) but still a trap. Documented PySocks in the README as a required pip dep alongside cryptography and pywebview. The broader venv/lockfile refactor is a bigger chantier, planned for phase 6.

SSH keys: here I have to push back a bit — ssh_setup.py does generate a dedicated id_rsa_peerbox key, never reuses id_rsa or id_ed25519. BUT you indirectly uncovered a real bug: request_creator.py had a silent fallback reading id_rsa.pub / id_ed25519.pub if id_rsa_peerbox.pub was missing. That's gone now too.

Quill 1.3.7 → 2.0.3: fair point, on the roadmap for this weekend. Non-minified too for auditability.

Seriously, thanks for taking the time to read the code and call out what needed calling out. This is what keeps small projects honest.

[–] quack@lemmy.zip 0 points 2 weeks ago (1 children)

Yeah this response is not reassuring. Death to AI slop.

[–] NovaFuture@lemmy.world -1 points 2 weeks ago

Are you alright? Just chilling? Doing your own thing in your corner? You're speaking without any basis. That's unacceptable.

load more comments (2 replies)
load more comments (2 replies)