Just a PSA.
Sorry to link to Reddit, but not only is the dev sloppily using using Claude to do something like 20k line PRs, but they are completely crashing out, banning people from the Discord (actually I think they wiped everything from Discord now), and accusing people forking their code of theft.
It’s a bummer because the app was pretty good… thankfully Calibre-web and Kavita still exist.
You must log in or # to comment.
Quick! Someone add it to Open Slopware!
Man this list is depressing. Good to have handy though. Sad to see SearXNG and a few others on here.
Searxng? Fuck, guess I’m just not pulling a new container.
There is this that popped up the other day, but I haven’t looked into it at all to see if it’s vibecoded or not: https://github.com/fccview/degoog
It’s not, the second I cloned it and gave codex access it found a whole whack of privacy issues. This was 100% human coded
degoog Dev here, definitely not vibecoded. Would you be able to tell me all these whack of privacy issues? I thought I had everything covered, but if you found something concerning it’d be nice to know before I get it out of beta :)
- Fixed credential-exfiltration risk in /api/proxy/image: Previously the endpoint could:
- accept arbitrary auth_id
- load stored API keys
- forward them to attacker-controlled URLs
- Enforced outbound host allowlist globally Previously:
- allowlist existed
- but outgoingFetch() didn’t enforce it
- plugins/engines could bypass it
- Fixed extension store path traversal Previously a malicious store manifest could:
- inject … paths
- escape install directories
- reference arbitrary files
- Hardened proxy IP trust Previously:
- rate limiting trusted any X-Forwarded-For header
- clients could spoof their IP
- Fixed inconsistent settings authentication Previously:
- settings UI stored an auth token
- but the settings modal didn’t send it when saving
- Implemented Improved proxy deployment support
- Added proxy-aware behavior:
- DEGOOG_PUBLIC_BASE_URL for canonical URLs
- secure cookie handling when X-Forwarded-Proto=https
Additional Improvements:
- suggestion fetching hardened
- DuckDuckGo suggestion parsing fixed
- unified outbound request handling
- install state guard properly cleaned up
Made some other changes for my specific deployment. Very happy with your work so far. Thanks so much
Thanks, I’ll individually look into all of these ♥️ I’ll say some of them are more conscious compromises for the sake of an open scalable system where third party extensions can truly edit anything (intentionally) and everything around Auth/secure cookie is also fairly lax due to the fact the Auth is just a protection for the settings (which literally stop the settings from being served by the client), in the moment I decide to add some more structured Auth system/maybe users I’ll look into proper secure cookie handling.
This is an awesome report, thank you so much for sharing it!!!
Hey sorry for the delay, dealing with a lot right now, but I didn’t forget about it.
1 - Fixed this, the api key is now only forwarded if the destination hostname matches the plugin’s stored url. 2 - As I was saying, the allowlist is opt-in by design (null = allow all), and plugins legitimately need to make arbitrary outbound requests. Enforcing it globally would break the plugin system. 3 - Fixed this, it was quite simple 4 - I have added an env var (DEGOOG_DISTRUST_PROXY), if set to true it’ll make it so all users share the same rate limit regardless of their IPs, I left it as an opt in as most users currently running it are only keeping it private behind their own in house reverse proxies. This will be handy for a public instance for example 5 - Extension settings modal now correctly sends x-settings-token on save. 6 - As I said, auth is intentionally lax until a more structured auth system is added, may need to be a few weeks after stable is live, after all there’s no real auth and the setting password protected and private view should be secure enough as it is
btw all this is not live yet, it’ll be sent live with the next release ♥
Thanks, will dig into this!
Booklore is listed as an alternative to Calibre 😭
Damn it!!! 😵
That list is depressing
deleted by creator
accusing people forking their code of theft
AGPL 3.0 license
Too fucking bad, pussy.
I literally just got this all set up and was about to hook up my wife’s kobo to it, good timing for this to come out so I don’t waste any more of our time with this slop. What a shitshow.
I just spun up Komga instead last night (I was going to set up CWA but I’ve heard sketchy things about their lead dev that don’t leave me optimistic). Very easy to get up and running, pretty basic but it seems to work well and does exactly what it needs to do. I was a bit hesitant since it seemed geared toward comics, but it’s handling regular ebooks just fine.
Wait, I use CWA… What do I need to be outraged about this time?
I don’t have the full details, but I saw some mentions in that Booklore reddit thread about CWA’s dev ignoring major issues in favor of new features and such, something like that. I admittedly didn’t really do much research into that nor the tool itself, but Komga’s Kobo support seems better, so I just went with it.
Hmmm… Calibre web’s kobo integration is good enough, but Komga seems to be able to sync progress as well?
I might have to try Kkmga after all.
Wow, I was thinking about switching from calibre-web soon too… Thanks for the headsup!
Thanks, that might explain the jank I got when spinning it up yesterday…I’ll be back on calibre web or trying another option over the weekend.
Tbh, at the moment the maintainer seems to be have gotten the message - or at least tries to make it seem so. I would give him the benefit of doubt at this stage, at least for a while now.
so if someone had a meltdown and started slapping people, you’re willing to give them a pass?
I mean they seem like they’re sorry. /s
dude isn’t regretful of his actions. he regrets the reactions from the community.
being a FOSS dev is like being a merchant, trust is the only commodity you should be dealing in. if you, or your code, can’t be trusted there’s nothing for the community to rally around.
Booklore is actually good though.
Much more usable than those others
Seems the guy has calmed down too.
he only said I was a dumb bitch and hit me because I told him I didn’t vote for Trump. he’s not like this all the time.
when people tell you who they are, listen.
