testing out brutaldon as well. i think i like pinafore better, might host my own copy
Turns out this app is spyware, it phones home the instant you open it, without consent:
@sneak @sengi_app You can self host it, they probably must have some simple analytics set up. It’s certainly not meant to be spyware. I am sure the dev was not intending to be malicious. @NicolasConstant
@liaizon simple analytics, without advance opt-in consent, transmit my data without my consent, and meets the definition of spyware. apps that transmit my activity *intentionally* without obtaining consent *are* malicious software, and the developer built this, which means they built it maliciously to steal my data.
@sneak
Good lord, please ask when you find something strange, it might not be what you think.
The electron build is only a browser packaging, all it does is loading a webpage in the app. The webpage is at http://sengi.nicolas-constant.com (you can use it directly from a browser). There is nothing else than HTML/CSS/JS files to be downloaded, all coming from my FTP and no data of any kind is guathered (I don't even know how many people are using the app)
@liaizon
that means that this "desktop" app is actually downloading javascript on each launch and running it locally, granting remote code execution on my computer. that's *way* worse - it means that a compromise of your webserver can read and upload/steal any file on my computer. this is a security nightmare.
bundle the code into the desktop application, and do not make any connections on launch other than to the configured homeserver. you're opening your users up to compromise
@sneak
PLEASE ASK.
The Electron build is set to load the page in a isolated way for this very reason. It doesn't has access to the node.js aspect of Electron and thus, the computer.
I've done this so that I can use the auto-update capability of PWA, and having only one code base to manage.
Also, it's not mandatory to use the Electron build, I only provide it because some people is finding it convenient.
@liaizon
auto updates without user consent are RCE! what part of this aren't you getting? if i compromise your webserver i can take over the client with malicious code.
@sengi_app @liaizon just because a desktop app is "not mandatory" doesn't make it okay to make it do things the user doesn't want. i downloaded this app and ran it, and it connected to your server to download stuff. why is that okay? i didn't want that code, i wanted the code i downloaded from github.
you need to learn about user consent.
@sengi_app @liaizon yup, you're right, that's how the web works. that's not how desktop software works. downloading and running desktop software is not consent to download and execute arbitrary code i've never seen before.
So this is not desktop-first software, it's "hybrid" software, despite you like it or not, you can't force your desktop-only expectations.
@loosy @liaizon @sengi_app that's caused by it being a downloadable .app bundle, not me.
@sneak
If you are that sensitive to what you're using on you computer, maybe you should read at least the Readme on the official repository before making any assumptions and cry after that.
I do my best to be as transparent as possible, I do know the stack won't fit for everyone, but it's the one I chose.
There is a lot of other apps doing the same thing out there, nothing tricky.
@loosy @liaizon
@sneak there’s also @sengi_app for a deferent direction.