By default this applications allows when adding a server, that the communication is not encrypted between the app and the server. This should be configured by default to enforce TLS encryption. If someone would want to disable dis behavior and allow unencrypted communication, then this should take extra steps.

As i commented somewhere else, to say that since it is turned off it is secure by default, is like saying: “The SSH server is turned off by default so the configuration that comes with it does not need to be secure when shipped”

Thats like saying:

“The SSH Server configuration does not need to be secure because the SSH Server is turned off by default”

Yes, this is what we’re discussing… Are you a bot?

Obviously no. But you keep dodging the point here. And instead of comming up with an argument against my point, you seem to try to attack me personally.

In security and development there is a statement, called “secure by default”. That means the default settings are secure. This would encapsulate something like enforced Transport encryption.

Does this mean that the config can not be changed to fit the thread model? No.

Not sure why you’ve chosen to be indignant about this particular implementation.

We are talking about a tracking App. Most selfhosted projects do not store such private data. You may can mage the argument for immich but only for ppl who take a picture every 5 min.

If the target server is compromised or taken by LEA the data is gone.

Laying the responsibility into the hands of the user is not ok for such an data aggregating service. Such highly critical, private and intime data should be protected and secure by default.

Not even transport encryption is enforced in the project. At first glance, http is allowed on local connections?!? Generate a self signed SSL cert on start and pin it in the app. Easy.

It is no excuse that other services do not follow these state of the art protection measures.

I absolutely agree with you. Such private data should be End-To-End-Encrypted.

German: netcup.eu

Not every order providers recieve is rightfull or legal or even fullfill the requirements of the law, or the legal forms are just not filled out correctly by the officer or department.

Fighting does not really mean, go to court, that would only really make sense for precedence, but more like “only do as much as you are required by law” and maybe “delay everything as much as you are allowed by law”.

Any legal hoster will have to give up the data to local LEA, eventually. I would rather go for a hoster that has proven to use encryption and is legally fighting any order they receive.

Sorry, but you have posted only 1 sentence about the project and not even a link to the project.

Additional with the

scripts—basically “em dash” which is really popular among llm generated texts, i get a bad feeling about it.

Is it standard practice to release the security updates on GitHub?

Yes.

And then the maintainers of the package on the package repository you use will release the patch there. Completely standard operation.

I recommend younto read up on package repositories on Linux and package maintainers etc.

The cli.

I have used management interfaces like coxkpit in the last but i do not really like it that much. I have E-Mail Notifications setup for updates via aptitude and monitor using prometheus and grafana and get additional notifications via prometheus alarm manager.

For an easy to use docker interface i use dockge, since i found it in this use case to be faster with a good, working, independend Interface.

But for the Linux underneath, for all 10-20 servers i managae, CLI.

Do not go for server hardware, used consumer hardware is good enough for you use cases. Basically any machine from the last 5-10 yeare is powerfull enough to handle the load.

Most difficult decision is on the GPU or transcoding hardware for your jellyfin. Do you want to be power efficient? Then go with a modern but low end intel CPU there you got quicksync as transcoding engine. If not, i would go for a low end NVIDIA GPU like the 1050ti or a newer one, and for example an old AMD CPU like the 3600.

For storage, also depends on budged. Having a backup of your data is much more important then having redundancy. You do not need to backup your media, but everything that is important to you,lime the photos in immich etc.

I would go SSD since you do not need much storage, a seperate 500 GB drive for your OS and a 4 TB one for the data. This is much more compact and reduces power consumption, and especially for read heavy applications much more durable and faster inoperation, less noise etc.

Ofc, HDDs are good enough for your usecase and cheaper (factor 2.5-3x cheaper here) .

Probably 8-16 GB RAM would be more then enough.

For any local redundancy or RAID i would always go ZFS.