I like to judge software based on its actually merit and not on the theoretical possibility it is vulnerable. It very well could be vulnerable, but without auditing it we are just speculating, which in the real world means nothing. Every project starts somewhere, without community, followers, and “5 years of support”. I am not saying I would trust this software in a security critical situation, just that your speculation means nothing.
And? It lowers the attack surface of Immich. Attack surface is about the surface, whatever an attacker can use to get leverage. This acts as an intermediate between Immich and a public viewer, controlling how a threat actor can access a private Immich server. It helps reduce external attack surface while increasing overall system complexity. Since the project is small, it is easy to audit the code.
Notesnook has a desktop app. Does it not work with self hosted implementation?
Hmm, you have typed words that I do not vibe with.
Cus there isnt a reason to change if you are already super familiar with pfSense. They basically do the same stuff.
In that case OPNsense does the exact same thing but with a more intuative GUI. It originally was a fork of pfSense.
Why?
This is true, the USA is better and it is invading your soul.
WebCord supports it.
Self hosting has the advantage of keeping your encrypted vault local and under your control.
Self-boting is against ToS. You have to be careful when interacting with the Discord API. Maybe there is a way to run the discord website to fetch text messages.
Generally, I think it is better to use a general server OS like Debian or Fedora instead of something specialized like Proxmox or Unraid. That way you can always choose the way you want to use your server instead of being channeled into running it a specific way (especially if you ever change your mind).
That is not how security works. You must protect against known and unknown attack vectors. I am only pointing out weaknesses of Docker and other linux containers that share the kernel with the host or/and run with Root. I’m not saying anything original or crazy, just read up on the security of these technologies and their limits. I am not a malware designer, I am a security researcher.
Look into gVisor and Kata Containers for info on how to improve the security of containers.
Here are some readings for you:
https://redlib.tux.pizza/r/docker/comments/eakd50/help_can_i_safely_run_malware_inside_a_container/
https://www.csoonline.com/article/1303004/vulnerabilities-in-docker-other-container-engines-enable-host-os-access.html
https://www.panoptica.app/research/7-ways-to-escape-a-container
https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/
https://www.securityweek.com/leaky-vessels-container-escape-vulnerabilities-impact-docker-others/
https://www.cybereason.com/blog/container-escape-all-you-need-is-cap-capabilities
It is not speculation, it is reducing attack surface. Security is preemptive. Docker/Podman are not strong isolation solutions. Rare does not mean we shouldn’t protect against the chance of kernel vulnerabilities. The linux kernel around 30 million lines of code long and written in a memory unsafe language. Code isn’t safe just because we dont know the vulnerabilities, this is basic cybersec reasoning.
Idk how to decide what is safe or not, but as a warning, Docker containers can escape trivially and have access to the kernel.
VPNs are illegal in China.