For posterity because I didn’t explain why/how it’s sketchy:
they just found a hardcoded key that skips all security that was in the wild for like two years
significant vibe coding means nobody actually understands the codebase. Hence not finding the backdoor key
some of the documentation is only in Chinese, which isn’t sketchy in itself, but given the backdoor key does seem fucking sketchy.
they have an X link you cannot remove from the admin console
the admin console has minor but stupid bugs: you can’t go from a bucket to the list of buckets, auth is janky, etc.
Just because it’s good a good name doesn’t make it good pedigree (which is a bone I have with rustXYZ named projects). The fact nobody caught serious backdoors for years is damning.
If you’re running this offline, it might be fine for you. I still run it inside my vpn behind auth but I’m looking to move off.
Thanks for pointing it out. Yeah it does. I just copy-pasted what I found and didn’t check.
For posterity because I didn’t explain why/how it’s sketchy:
Just because it’s good a good name doesn’t make it good pedigree (which is a bone I have with rustXYZ named projects). The fact nobody caught serious backdoors for years is damning.
If you’re running this offline, it might be fine for you. I still run it inside my vpn behind auth but I’m looking to move off.