Huntarr - Your passwords and your entire arr stack's API keys are exposed to anyone on your network, or worse, the internet.
old.reddit.com
Today, after raising security concerns in a post on r/huntarr regarding the lack of development standards in what looks like a 100% vibe-coded...
  • angrywaffle@piefed.socialEnglish
    7·
    3 hours ago

    I’m desperate for a community driven review system for open source. We’re drowning in vibe-coded slop, and I honestly don’t have the time or a good slop detector to audit every tool I download. I know I should be checking under the hood, but the sheer volume of low-quality projects makes it impossible to keep up

  • Rhys@lemmy.rhys.shEnglish
    10·
    6 hours ago

    The fact we need to vet self hosted products from vibe coding is very disappointing. Like isn’t part of the point security through sovereignty?

    • traches@sh.itjust.worksEnglish
      8·
      7 hours ago

      I guess it was supposed to be a successor to the *arr stack (radarr, lidarr , sonarr, etc). If you’re not familiar, they automate the downloading & organization process for movies, music, and tv.

      • ITGuyLevi@programming.devEnglish
        41·
        5 hours ago

        I’m sure a successor will come around when room forms for them, I don’t know of a reason any of the core *arr stack should need one. If you know of one don’t hesitate to share, I’m just not really aware of any, they are awesome to me.

        • Zanathos@lemmy.worldEnglish
          2·
          2 hours ago

          There was no reason for this in the first place in my opinion. The ONLY positive use I can see would be managing the whole arr stack from one place, but I imagine you would still need to manage individual shows\movies\whathaveyou if it wasn’t found in the first place.

          I have my stacks set up to auto upgrade and find missing stuff already. It’s literally built into their programming. I manage them individually and anything that isn’t found on my indexers I typically go out and find manually as needed (old or very obscure media).

          Not really sure what this bought anyone at all other than an extra layer of convenience?

  • irmadlad@lemmy.worldEnglish
    48·
    8 hours ago

    I don’t run 'arr anything, but that’s pretty wild.

    Yeesh, in the hour since this has been posted the developer has:

    • Made the /r/huntarr subreddit private
    • Wiped and deleted their Reddit account
    • Deleted the GitHub repo for Huntarr
  • Bakkoda@sh.itjust.worksEnglish
    21·
    7 hours ago

    Exposing any of the Arr stack to the internet is just bad practice in general IMO but bad actors will always be out there so it’s even more of a reason to practice good security.

    I used huntarr for a minute and found it utterly useless. Didn’t trigger searches like it said it was doing. Uninstalled it after about 5 minutes.

    • irmadlad@lemmy.worldEnglish
      91·
      5 hours ago

      I’m not so much worried about ‘vibe coding’ as long as the dev actually knows the validity of the code presented in the LLM. At that point, the LLM becomes the assistant, not the dev itself. However, if I were to speculate, this dev team didn’t, got called on it, didn’t know how to respond or validate the code, so they closed up shop.

  • ZeDoTelhado@lemmy.worldEnglish
    22·
    8 hours ago

    That is some wild shit. Anyways for anyone else somewhat new to all this: when hosting anything, try to stick to reputable projects 1st and be always wary of shady installation tactics (I believe yesterday someone posted about curl bash. This is just a single example). If you want to try something new (as in brand new project), try it isolated 1st on some VM (proxmox helps a lot with this). When you are confident and more people give an approval, then think about putting on the main environment

    • irmadlad@lemmy.worldEnglish
      14·
      8 hours ago

      try to stick to reputable projects 1st and be always wary of shady installation tactics

      One of the first things I look for are longevity, last updated/activity, and then I look at the issues posted and responses. I like mature apps because I don’t possess the intelligence to audit code.

    • i_am_not_a_robot@discuss.tchncs.deEnglish
      12·
      5 hours ago

      curl bash is not as bad as people think. Nobody downloads and reverse engineers binary packages off of these websites before running them with the same permissions.

  • gravitas@lem.ugh.imEnglish
    52·
    7 hours ago

    Wow i literally just setup huntarr last night. Guess ill make sure its only accessible on wireguard.