Submitted 3 weeks ago by fleem@piefed.zeromedia.vip to selfhosted@lemmy.world
https://github.com/aquantumofdonuts/mixarr
Ive been looking for something to help the navidrome server do its thing, and this looks awesome, but there is one issue that was just opened and closed yesterday, it looks a little sus?
how does one go about digging through and discovering if this is malicious or not?
I understand recommendations, but I don’t want anything just auto inserting music into my library. I curate my library. I want to intentionally add to it. Half the joy in finding new artists is whatever led you to that moment.
This might just be an old man talking though.
Same but I often forget about one hit bands that made “that song” that just rocks and it was super easy to build playlists with recommendations from Spotify. Also, per the readme of the repo, you don’t have to use Lidarr and it will just do recommendations.
i feel that wholeheartedly. This is a peace of the reason why it took me so long to embrace the arrs.
Once I got it working nice and good, I realized that it wasn’t so much about the hunt for the treasure as much as it was just being in control of (or rather, just out of the control of the preforementioned) everything else implied with the current corpo infra.
what about having navidrome use another “library” that is some manner of separated from the main?
That’s not a terrible idea. I do the same with Christmas music and have been considering a separate library for live stuff as well.
This was posted here yesterday by the dev. Overall the reaction seems positive.
A quick look through the repo it looks pretty legit, it’s a lot of effort to create something that works, with all the documentation (including a lot of planning docs) just to collect data on you. Traffic to various IPs, foreign or otherwise, wouldn’t really be odd for an app like this either. You could try and run it through something like virustotal though to look for malicious code (there are more than a few docker scanning tools on GitHub that use virustotal).
damnit, i didn’t check! i was uhh, enjoying my plantlife yesterday and i thought i caught this on the selfh*st weekly newsletter thing
thanks for your info! virustotal sounds like something i should probably look into anyways!
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
| Fewer Letters | More Letters |
|---|---|
| DNS | Domain Name Service/System |
| IP | Internet Protocol |
| SSL | Secure Sockets Layer, for transparent encryption |
| TLS | Transport Layer Security, supersedes SSL |
[Thread #985 for this comm, first seen 6th Jan 2026, 03:35] [FAQ] [Full list] [Contact] [Source code]
I think the author literally released it like 2 days ago which is why there’s no issues or prs yet.
I installed it yesterday and have only fiddled around a little bit. I like that it pointed out a bunch of health issues with my Lidarr library and have been stuck on a side quest dealing with those.
If you want to explore it and see if anything seems malicious to you, I’d focus on code making requests, and review the sub-dependencies to see if any look sus. It should live entirely in your network and shouldn’t be making any external requests outside your server apart from the connections you set up (like last.fm).
the reason i pumped the brakes, was an issue filed yesterday by a brand new user and closed by the owner. asking why it was sending a bunch of network requests somewhere random. then it was edited for content and the name of the issue was changed by the owner and closed.
my spidey sense pricked up? but I’m just an old stoned n00b so i wanted to hear what the old stoned wizards thought
Ohh that’s suspicious. I’m going to kill mine for now and take a look later tonight. I’ll report back if I find anything interesting!
Issue in question: github.com/aquantumofdonuts/mixarr/issues/7
Just use Last.fm
I used lastfm until about 2015, listenbrainz is better.
Last.fm is complete trash now that it’s under new ownership. They will not listen to users who point out that artists with the same name are mixed into one artist.
Biosphere is one example, check the shouts. No one wants to hear terrible chiptune music when they’re trying to listen to ambient.
funny recommendation in a selfhosted community
Fair, but I haven’t found anything that is useful whatsoever that I can self host.
Several red flags here, but I put it in a vm and started it up with no external connection and I didn’t see any unusual traffic, though I didn’t decrypt TLS, just watched IPs and DNS.
I had starred it but I just don’t need that much of a stack for music suggestions. Mysql and redis? Just seems like massive overkill.
Sonobarr is ugly but it’s footprint is the same as my fuckin log viewer and it just pulls from lidarr/lastfm/listenbrainz. It’s got an “AI” option disabled by default but i didn’t use that.
just_another_person@lemmy.world 3 weeks ago
It’s a dumbass AI-powered recommendation engine with an awful GUI. That’s about it.
As far as it being malicious, that’s really up to you.
ryokimball@infosec.pub 3 weeks ago
Looks like on Reddit, the creator is blocking people from reporting things like sending data to foreign servers.
fleem@piefed.zeromedia.vip 3 weeks ago
the closed issue speaks of that!
desentizised@lemmy.zip 3 weeks ago
That was the red flag for me personally in terms of giving it a try. At the first accusation they said “the code is there, I have nothing to hide” and then it devolved into (paraphrasing) “I took down issue reporting because people kept abusing it.”
So assuming the best case scenario where the code is clean and it’s just a misunderstanding you’re still looking at a creator who is willing to censor the community he simultaneously seems particularly eager to reach by self-promoting his project. Not my jam.