@sneak there’s also @sengi_app for a deferent direction.
Turns out this app is spyware, it phones home the instant you open it, without consent:
@sneak
Good lord, please ask when you find something strange, it might not be what you think.
The electron build is only a browser packaging, all it does is loading a webpage in the app. The webpage is at http://sengi.nicolas-constant.com (you can use it directly from a browser). There is nothing else than HTML/CSS/JS files to be downloaded, all coming from my FTP and no data of any kind is guathered (I don't even know how many people are using the app)
@liaizon
that means that this "desktop" app is actually downloading javascript on each launch and running it locally, granting remote code execution on my computer. that's *way* worse - it means that a compromise of your webserver can read and upload/steal any file on my computer. this is a security nightmare.
bundle the code into the desktop application, and do not make any connections on launch other than to the configured homeserver. you're opening your users up to compromise
@sneak
PLEASE ASK.
The Electron build is set to load the page in a isolated way for this very reason. It doesn't has access to the node.js aspect of Electron and thus, the computer.
I've done this so that I can use the auto-update capability of PWA, and having only one code base to manage.
Also, it's not mandatory to use the Electron build, I only provide it because some people is finding it convenient.
@liaizon
auto updates without user consent are RCE! what part of this aren't you getting? if i compromise your webserver i can take over the client with malicious code.
@sengi_app @liaizon just because a desktop app is "not mandatory" doesn't make it okay to make it do things the user doesn't want. i downloaded this app and ran it, and it connected to your server to download stuff. why is that okay? i didn't want that code, i wanted the code i downloaded from github.
you need to learn about user consent.
@sengi_app @liaizon yup, you're right, that's how the web works. that's not how desktop software works. downloading and running desktop software is not consent to download and execute arbitrary code i've never seen before.
@loosy @liaizon @sengi_app that's caused by it being a downloadable .app bundle, not me.
@sneak
If you are that sensitive to what you're using on you computer, maybe you should read at least the Readme on the official repository before making any assumptions and cry after that.
I do my best to be as transparent as possible, I do know the stack won't fit for everyone, but it's the one I chose.
There is a lot of other apps doing the same thing out there, nothing tricky.
@loosy @liaizon