view the rest of the comments
Selfhosted
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
Yes but in this case it's something that parses stuff received from internet, not a calculator or a sudoku app. There's a tiny chance that a specially crafted email could be exploited. It's very unlikely that it would be explicitly targeted as it's a niche app that now gets less than a download a day, but still IMHO it's dangerous.
On the fdroid community I once recommended to everyone a 100% offline app that generated generic images for contacts without pictures and because it was abandoned in 2018 I was downvoted by many who would say "what if an attacker with some top tier social engineering skill persuaded you to use a specially crafted exploited image as a contact picture on your phone, then when you used this app to parse existing picture, the 6 years old image library would be exploited and your phone hacked??" - something that has the same probability of "what if the same day you found on the ground a winning lottery ticket a meteorite hits the ground, bounces back all the stairs and hits you while waiting the subway pushing you on an incoming train?"
That's a valid point, though it looks like Popfile's installation instructions call for manually installing libraries, presumably current ones. I think it processes only text, not PDFs or images, which are traditional sources of vulnerabilities. I'm fairly certain it doesn't attempt to execute Javascript. It is, itself written in Perl, which is memory-safe.
It's worth considering security because there's so much malware out there trying to spread indiscriminately, but Popfile is less vulnerable than an Android app (which bundles its dependencies) or anything written in C (which is subject to all kinds of memory management bugs).