Max-P

The bible.

It’s unfortunately been distorted a lot with translations over time, but it was originally a story about morales in a world of greed.

If Jesus came back he would be crucified again for being too “woke”.

Yeah, that’s enough to not have it exposed directly. I understand why they did it that way but very good to know, thanks!

I keep hearing claims that it’s not secure enough to be exposed on the Internet, but I can’t seem to find anything about unauthenticated vulnerabilities. It’s got a fair amount of CVEs but they all seem to affect when you’re an already authenticated user, mainly to XSS an admin as a regular user or the likes.

It’s written in C#, and publicly all you can do is pretty much attempt to log in, this feels like it should be pretty sane compared to some other PHP crap I run.

Do you have any examples of previous exploits or anything else to be concerned about?

deleted by creator

The language itself has gotten a bit better. It’s not amazing but it’s decent for a scripting language, and very fast compared to most scripting languages. TypeScript can also really help a lot there, it’s pretty good.

It’s mostly the web APIs and the ecosystem that’s kinda meh, mostly due to its history.

But what you dislike has nothing to do with JavaScript but just big corpo having way too many developers iterating way too fast and creating a bloated mess of a project with a million third-party dependencies from npm. I’m not even making this up, I’ve legit seen a 10MB unit test file make it into the production bundle in a real product I consulted on.

You don’t have to use React or Svelte or any of the modern bloated stuff nor any of the common libraries. You can write plain HTML and CSS and a sprinkle of JavaScript and get really good results. It’s just seen as “bad practice” because it doesn’t “webscale”, but if you’re a single developer it’s perfectly adequate. And the reality is short of WebAssembly, you’re stuck with JS anyway, and WASM is its own can of worms.

And even then, React isn’t that bad. There’s just one hell of a lot of very poorly written React apps, in big part because it will let you get away with it. It’s full of footguns loaded with blanks, but it’s really not aweful if you understand how it works under the hood and write good code. Some people are just lazy and import something and you literally load the same data in 5 different spots, twice if you have strict mode enabled. I’ve written apps that load instantly and respond instantly even on a low end phone, because I took the time to test it, identify the bottlenecks and optimize them all. JavaScript can be stupid fast if you design your app well. If you’re into the suckless philosophy, you can definitely make a suckless webapp.

What you hate is true for most commercial software written in just about any language, be it C, C++, Java, C#. Bugs and faster response times don’t generate revenue, new features and special one-off event features generate much much more revenue, so minor bugs are never addressed for the most part. And of course all those features end up effectively being the 90% bloat you never use but still have to load as part of the app.

Is it directly exposed over the Internet? If you only port forward the VPN on your router, I wouldn’t worry about it unless you’re worried about someone else already on your LAN.

And even then, it’s really more like an extra layer of security against accidentally running something exposed publicly that you didn’t intend to, or maybe you want some services to only be accessible via a particular private interface. You don’t need a firewall if you have nothing to filter in the first place.

A machine without a firewall that doesn’t have any open port behave practically the same from a security standpoint: nothing’s gonna happen. The only difference is the port showing as closed vs filtered in nmap, and the server refusing to send any response not even a rejection, but that’s it.

Yep, and I’d guess there’s probably a huge component of “it must be as easy as possible” because the primary target is selfhosters that don’t really even want to learn how to set up Docker containers properly.

The AIO Docker image is an abomination. The other ones are slightly more sane but they still fundamentally mix code and data in the same folder so it’s not trivial to just replace the app.

In Docker, the auto updater should be completely neutered, it’s the wrong way to update the app.

The packages in the Arch repo are legit saner than the Docker version.