Ive been looking for something to help the navidrome server do its thing, and this looks awesome, but there is one issue that was just opened and closed yesterday, it looks a little sus?
how does one go about digging through and discovering if this is malicious or not?
I had starred it but I just don’t need that much of a stack for music suggestions. Mysql and redis? Just seems like massive overkill.
Sonobarr is ugly but it’s footprint is the same as my fuckin log viewer and it just pulls from lidarr/lastfm/listenbrainz. It’s got an “AI” option disabled by default but i didn’t use that.
I understand recommendations, but I don’t want anything just auto inserting music into my library. I curate my library. I want to intentionally add to it. Half the joy in finding new artists is whatever led you to that moment.
This might just be an old man talking though.
Same but I often forget about one hit bands that made “that song” that just rocks and it was super easy to build playlists with recommendations from Spotify. Also, per the readme of the repo, you don’t have to use Lidarr and it will just do recommendations.
i feel that wholeheartedly. This is a piece* of the reason why it took me so long to embrace the arrs.
Once I got it working nice and good, I realized that it wasn’t so much about the hunt for the treasure as much as it was just being in control of (or rather, just out of the control of the preforementioned) everything else implied with the current corpo infra.
what about having navidrome use another “library” that is some manner of separated from the main?
edit typo. ew
That’s not a terrible idea. I do the same with Christmas music and have been considering a separate library for live stuff as well.
Just use Last.fm
I used lastfm until about 2015, listenbrainz is way better.
Last.fm is complete trash now that it’s under new ownership. They will not listen to users who point out that artists with the same name are mixed into one artist.
Biosphere is one example, check the shouts. No one wants to hear terrible chiptune music when they’re trying to listen to ambient.
This was posted here yesterday by the dev. Overall the reaction seems positive.
A quick look through the repo it looks pretty legit, it’s a lot of effort to create something that works, with all the documentation (including a lot of planning docs) just to collect data on you. Traffic to various IPs, foreign or otherwise, wouldn’t really be odd for an app like this either. You could try and run it through something like virustotal though to look for malicious code (there are more than a few docker scanning tools on GitHub that use virustotal).
damnit, i didn’t check! i was uhh, enjoying my plantlife yesterday and i thought i caught this on the selfh*st weekly newsletter thing
thanks for your info! virustotal sounds like something i should probably look into anyways!
It’s a dumbass AI-powered recommendation engine with an awful GUI. That’s about it.
As far as it being malicious, that’s really up to you.
Looks like on Reddit, the creator is blocking people from reporting things like sending data to foreign servers.
That was the red flag for me personally in terms of giving it a try. At the first accusation they said “the code is there, I have nothing to hide” (which is entirely fair) but then it devolved into (paraphrasing) “I took down issue reporting because people kept abusing it.”
So assuming the best case scenario where the code is clean and it’s just a misunderstanding you’re still looking at a creator who is willing to censor the community they simultaneously seem particularly eager to reach by self-promoting their project. Not my jam.
the closed issue speaks of that!
Edit:
also thanks for braving reddit for us!
Several red flags here, but I put it in a vm and started it up with no external connection and I didn’t see any unusual traffic, though I didn’t decrypt TLS, just watched IPs and DNS.
I think the author literally released it like 2 days ago which is why there’s no issues or prs yet.
I installed it yesterday and have only fiddled around a little bit. I like that it pointed out a bunch of health issues with my Lidarr library and have been stuck on a side quest dealing with those.
If you want to explore it and see if anything seems malicious to you, I’d focus on code making requests, and review the sub-dependencies to see if any look sus. It should live entirely in your network and shouldn’t be making any external requests outside your server apart from the connections you set up (like last.fm).
the reason i pumped the brakes, was an issue filed yesterday by a brand new user and closed by the owner. asking why it was sending a bunch of network requests somewhere random. then it was edited for content and the name of the issue was changed by the owner and closed.
my spidey sense pricked up? but I’m just an old stoned n00b so i wanted to hear what the old stoned wizards thought
Issue in question: https://github.com/aquantumofdonuts/mixarr/issues/7
Welp, that issue has “officially” been deleted, as well as a followup issue asked by another person asking about that first issue feeling fishy.
While a full ‘deletion’ of such an issue is certainly unfortunate, I can kind of see how it gets to such a decision point.
You’re creating some software in the open, decide to ping some communities on reddit/lemmy and all of a sudden it seems like a disgruntled brigade is breaking down your door while you just wanted to show them the garden.
What for us looks like earnest sleuthing can feel like abuse/harassment from the other side simply due to the asymmetrical nature of the internet.
Would have probably still preferred a closed issue instead, but having a couple ‘niche-successful’ repos on github myself - I can at least certainly empathise.
understood! i will keep my eyes on this repo!
Ohh that’s suspicious. I’m going to kill mine for now and take a look later tonight. I’ll report back if I find anything interesting!
Ok, so I ran the repo through an LLM to look for any suspicious requests, and it came back clean.
But it’s hella suspicious that the repo owner edited away the issue and closed it without a response.
It’s also hella suspicious that the user that reported that issue created their account yesterday.
I think I need to go the nuclear option: pop a gummy and monitor the network traffic of the container and see what it’s doing.
o7 godspeed! i appreciate you your effort. the spirit of this project does sound so cool so i was a little heartbroken.
enjoy the edible!
Well that was fun! I’m confident this project isn’t malicious. It’s for sure coded using AI, and I think that’s what triggered a smear campaign. This removed Reddit post looks like there is just a downvote brigade out to get the project because the author admitted to using AI.
The only network traffic it’s made when I monitored it was local. Certainly nothing went to Asia.
I think it tries to solve a neat problem. There’s so many features packed in that it’s obviously vibe coded. That’s probably a huge turn off for AI detractors. If you don’t care about that, I think you’re safe to give it a try.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters DNS Domain Name Service/System IP Internet Protocol SSL Secure Sockets Layer, for transparent encryption TLS Transport Layer Security, supersedes SSL
[Thread #985 for this comm, first seen 6th Jan 2026, 03:35] [FAQ] [Full list] [Contact] [Source code]
