this post was submitted on 13 Mar 2026
124 points (92.5% liked)

Selfhosted

59618 readers
1327 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

  7. No low-effort posts. This is subjective and will largely be determined by the community member reports.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
124
Probably want to stop using Booklore... (sh.itjust.works)
submitted 2 months ago by jasonweiser@sh.itjust.works to c/selfhosted@lemmy.world
78 comments fedilink hide all child comments
 

Just a PSA.

See this thread

Sorry to link to Reddit, but not only is the dev sloppily using using Claude to do something like 20k line PRs, but they are completely crashing out, banning people from the Discord (actually I think they wiped everything from Discord now), and accusing people forking their code of theft.

It’s a bummer because the app was pretty good… thankfully Calibre-web and Kavita still exist.

you are viewing a single comment's thread
view the rest of the comments
[–] lambalicious@lemmy.sdf.org 56 points 2 months ago (8 children)

Quick! Someone add it to Open Slopware!

[–] nfreak@lemmy.ml 21 points 2 months ago (2 children)

Man this list is depressing. Good to have handy though. Sad to see SearXNG and a few others on here.

[–] northernlights@lemmy.today 13 points 2 months ago (1 children)

Seriously... kitty, rawtherapee, keepassxc, python, the freaking linux kernel!

[–] Auli@lemmy.ca 9 points 2 months ago (1 children)

Did you read about kernel they are experimenting with using it for reviews. Which I don't see a reason why they at least wouldn't be looking these are people who like tech.

[–] lambalicious@lemmy.sdf.org 5 points 2 months ago

It might be, but for some people that might, understandably, be already bad enough, a line in the sand if you will.

I'm reminded of this statement about LLMs and the kind of people who use them in the first place. It's an early indicator that quality (and sovereignty) of the software is going to go the incline down.

[–] Atropos@lemmy.world 1 points 2 months ago (1 children)

Searxng? Fuck, guess I'm just not pulling a new container.

[–] nfreak@lemmy.ml -1 points 2 months ago (2 children)

There is this that popped up the other day, but I haven't looked into it at all to see if it's vibecoded or not: https://github.com/fccview/degoog

[–] PoliteDudeInTheMood@lemmy.ca 2 points 2 months ago (1 children)

It's not, the second I cloned it and gave codex access it found a whole whack of privacy issues. This was 100% human coded

[–] fccview@lemmy.world 2 points 2 months ago (1 children)

degoog Dev here, definitely not vibecoded. Would you be able to tell me all these whack of privacy issues? I thought I had everything covered, but if you found something concerning it'd be nice to know before I get it out of beta :)

[–] PoliteDudeInTheMood@lemmy.ca 2 points 2 months ago (1 children)
  1. Fixed credential-exfiltration risk in /api/proxy/image: Previously the endpoint could:
  • accept arbitrary auth_id
  • load stored API keys
  • forward them to attacker-controlled URLs
  1. Enforced outbound host allowlist globally Previously:
  • allowlist existed
  • but outgoingFetch() didn’t enforce it
  • plugins/engines could bypass it
  1. Fixed extension store path traversal Previously a malicious store manifest could:
  • inject .. paths
  • escape install directories
  • reference arbitrary files
  1. Hardened proxy IP trust Previously:
  • rate limiting trusted any X-Forwarded-For header
  • clients could spoof their IP
  1. Fixed inconsistent settings authentication Previously:
  • settings UI stored an auth token
  • but the settings modal didn’t send it when saving
  1. Implemented Improved proxy deployment support
  • Added proxy-aware behavior:
  • DEGOOG_PUBLIC_BASE_URL for canonical URLs
  • secure cookie handling when X-Forwarded-Proto=https

Additional Improvements:

  • suggestion fetching hardened
  • DuckDuckGo suggestion parsing fixed
  • unified outbound request handling
  • install state guard properly cleaned up
[–] fccview@lemmy.world 2 points 2 months ago

Thanks, I'll individually look into all of these ♥️ I'll say some of them are more conscious compromises for the sake of an open scalable system where third party extensions can truly edit anything (intentionally) and everything around Auth/secure cookie is also fairly lax due to the fact the Auth is just a protection for the settings (which literally stop the settings from being served by the client), in the moment I decide to add some more structured Auth system/maybe users I'll look into proper secure cookie handling.

This is an awesome report, thank you so much for sharing it!!!

[–] Atropos@lemmy.world 1 points 2 months ago

Thanks, will dig into this!

[–] Jolteon@lemmy.zip 13 points 2 months ago (2 children)

It seems like the criteria for making it on there is fairly lax. Nextcloud makes a list by simply having an AI assistant as an optional (user-facing) feature, while none of the actual code appears to be AI-generated.

[–] Evotech@lemmy.world 11 points 2 months ago

I’d be easier to make a list of all software that doesn’t use any AI at this point

[–] lambalicious@lemmy.sdf.org 5 points 2 months ago

Even if the "has an optional AI assistant" was not a thing, the repo includes an AGENTS.md file, which is also listed in the criteria, and more than qualifies it as slopware.

[–] meathappening@lemmy.ml 6 points 2 months ago (2 children)

Booklore is listed as an alternative to Calibre 😭

[–] lambalicious@lemmy.sdf.org 6 points 2 months ago

Damn it!!! 😵

[–] traxex@lemmy.dbzer0.com 1 points 2 months ago (1 children)

Wait Calibre is there????? Oh my god no.

[–] meathappening@lemmy.ml 0 points 2 months ago

Fortunately this exists

[–] antrosapien@lemmy.ml 4 points 2 months ago

That list is depressing

[–] Andres4NY@social.ridetrans.it 3 points 2 months ago* (last edited 2 months ago) (1 children)

@lambalicious @jasonweiser Not sure seafile should be listed as an alternative. We couldn't include it on Debian due to copyright sketchiness/plagerism...

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928975

[–] lambalicious@lemmy.sdf.org 2 points 2 months ago (1 children)

Geez... problems never end, do they.

I'm barely active in Codeberg. Unless someone beats me by, say, end-of-month, I might file an issue about it; that said, I'd like to be able to offer at least one (1) functional alternative rather than simply +1'ing to the complains that this or that is Never Good Enough.

[–] Andres4NY@social.ridetrans.it 2 points 2 months ago

@lambalicious Syncthing is what I replaced seafile with, fwiw. Works great!

[–] Sunny@slrpnk.net 3 points 2 months ago

Holy shit I almost whish I didn't read through that list...So sad to see so many projects go down this path...

[–] uzay@infosec.pub 2 points 2 months ago

Especially since it is actually listed as an alternative to calibre there

[–] pie_enjoyer@lemmy.world -3 points 2 months ago

"No, anti AI people aren't technophobic"

Meanwhile anti AI people: