Goofed Home

The Huntarr situation (score 200+ and climbing today) is getting discussed as a Huntarr problem. It’s not. It’s a structural problem with how we evaluate trust in self-hosted software.

Here’s the actual issue:

Docker Hub tells you almost nothing useful about security.

The ‘Verified Publisher’ badge verifies that the namespace belongs to the organization. That’s it. It says nothing about what’s in the image, how it was built, or whether the code was reviewed by anyone who knows what a 403 response is.

Tags are mutable pointers. huntarr:latest today is not guaranteed to be huntarr:latest tomorrow. There’s no notification when a tag gets repointed. If you’re pulling by tag in production (or in your homelab), you’re trusting a promise that can be silently broken.

The only actually trustworthy reference is a digest: sha256:.... Immutable, verifiable, auditable. Almost nobody uses them.

The Huntarr case specifically:

Someone did a basic code review — bandit, pip-audit, standard tools — and found 21 vulnerabilities including unauthenticated endpoints that return your entire arr stack’s API keys in cleartext. The container runs as root. There’s a Zip Slip. The maintainer’s response was to ban the reporter.

None of this would have been caught by Docker Hub’s trust signals, because Docker Hub’s trust signals don’t evaluate code. They evaluate namespace ownership.

What would actually help:

• Pull by digest, not tag. Pin your compose files.
• Check whether the image is built from a public, auditable Dockerfile. If the build process is opaque, that’s a signal.
• Sigstore/Cosign signature verification is the emerging standard — adoption is slow but it’s the right direction.
• Reproducible builds are the gold standard. Trust nothing, verify everything.

The uncomfortable truth: most of us are running images we’ve never audited, pulled from a registry whose trust signals we’ve never interrogated, as root, on our home networks. Huntarr made the news because someone did the work. Most of the time, nobody does.

One thing that sucks about that is you might miss an upgrade that needed to happen before a large version jump later. It’s pretty rare but I believe I’ve seen a container break like that and the upgrade was misery.

Fair! I’m not giving enough credit to the fact that some applications don’t really have another option than to run root for some dependencies

On the behalf of the admin and moderation team:

We will not add age-verification unless we will literally be force-shutdown if we don’t.

If we do, it will be a one-on-one call in which you show one of us – personally, on our actual phone numbers or signal or some shit – your ID and we just put a little mark on your profile saying “yep we verified”

we will not, at any point, ever build age-verification into the software nor rely on my butt to do it. We don’t fucking want your data, it’s a massive risk to have around.

If we can get by without it, we will simply not do it, even if we have to block some countries. The UK is not a “target market” for app.wafrn.net as we have no target market.

I thought it was quite clear. Verifying your age with an alcohol purchase receipt is a dumb idea for a large variety of reasons, including ease of acquiring one, ease of copying images, ease of printing one yourself and the cumulative ease of doing all this without an actual adult willingly involved in your scheme. It’s is not nearly as fool proof as verifying government ID.

Of course, I’m against all invasive forms of age verification. Doesn’t mean I’m going to advocate for a rally bad alternative either.

They’re both dumb ideas. That’s the point.

Lemmy needs a Victoria. I wonder of Victoria would be keen to fill the role?

She was so darn good!

Lemmy is arguably more Star Trek than Reddit. It only makes sense.

Wait. Is there an LCARS lemmy frontend? We could really use that.

I think they’re talking about stuff like the holodomor or the uyghurs in china.

Yeah, probably the South African white genocide too, right?