Hegseth’s nomination is seen as a boost for the far right in Israel, as he has shown support for territorial expansion and suggested the construction of a new temple on the Temple Mount.

BUT AT LEAST THE DEMOCRATS LEARNED A LESSON RIGHT LEFTISTS???

Let the infighting begin! Trump hires the worst people and creates a toxic “vie for the king’s attention” atmosphere.

I wonder how many mooches he’ll last.

Yeah - calling the admin was definitely the right thing to do. Even involving the police as reasonable (the whole world would be jumping all over the teachers and admin if they ignored it and something happened).

But goddamn everything after that is a clusterfuck. This law is the perfect example of “well meaning but stupid” legislation that has side effects that were entirely foreseeable but somehow a “shock” to the people who voted for it.

“You can’t fire me, I quit.”

“we’re trying to stop the people who should know better from doing this, and if they do it, they should have more than a slap on the wrist.”

They’re 13 years old ffs, they can’t be expected to not say stupid things.

“I don’t know whose level of trauma is going to be the greatest: the kids in the classroom wondering if there’s an active shooter roaming their halls or a kid that didn’t know better and says something like that and gets arrested,

Or the trauma of the kids who saw a classmate arrested for having a bunny plushie in his bag.

In the first six weeks of the school year, 18 kids were arrested for making threats of mass violence.

Sweet Jesus! What the fuck are you doing Tennessee?? This is madness!

It’s going to be the irs, epa, fda, etc. Things that are chronically underfunded and provide tangible value but which also annoy rich fucks.

The likelihood of a risk in this proxy might be medium or even high according to you

It might be zero. It’s “unknown” (according to me I guess).

I’ve dug into the code a bit out of curiosity - it seems to me that “proxy” is a misnomer. It’s a stripped-down “view” layer built on top of the API. But has the same endpoints as the main immich app for shared things so that you can create links that work with it so it kinda looks like a proxy. But it’s just a “simplified public view” of sorts.

Meh.

No. 🤣

I like to judge software based on its actually merit and not on the theoretical possibility it is vulnerable

This is literally the entire justification for the project. It’s assuming theoretical vulnerabilities in Immich.

I am not saying I would trust this software in a security critical situation

Which is the point of this software (security critical situation).

just that your speculation means nothing

This project has zero community support. That’s not speculative, it’s a fact. “Every project starts somewhere” is just a tautology that means nothing. Every project that fails starts somewhere.

No.

Do you often recommend people running single-developer maintained software that has existed for about a fortnight for “security purposes”?

It’s some rando’s project that has existed for “nearly a month”, has no community, is unlikely to have any rapid response to any issues, and probably won’t be supported for more than a year.

But sure - go ahead and run it for “security purposes”.

You can “reduce surface area” by simply putting in place nginx or apache (real supported software) and blacklisting the endpoints you don’t like.

Kinda - It’s the only reason I bothered to reply to anyone. :-)

Removed by mod

And it adds its own “attack surface”.

Removed by mod

Proxies are not used for security by anyone but morons. Firewalls, WAFs, etc. all provide some sort of benefit. What is this application doing that is of use? Just “not exposing your server directly”? Well, it is being exposed directly now - so it’s a very secure application written by a security professional then? Or should I put it behind another proxy just to be sure? Maybe 7 proxies are enough?

OP is well meaning - but this was a waste of time for anyone else to use. It’s a solution in search of a problem.

Removed by mod

Like by reducing the attack surface on internal APIs?

This is my other favorite term the community has picked up and uses like it’s a mic drop without understanding it.

It’s a proxy my friend. It forwards requests to the other server. And you’ve added an untested personal project in front of it.

But wait! You don’t want to just expose your immich proxy to the internet do you? I’ll write DavesAwesomeProxy that you can put in front of that proxy! Will it be secure? Maybe. Will I support it? What’s with all the questions!

Put it on a different server then. It prevents your Immich server from ever needing to be exposed publicly. That’s the entire point.

This is stupid.

Repeat after me - proxies are not used for security.

This is a cargo-cult believe in this community. There’s a weird sense that it’s “dirty” to have a server exposed “directly” to the internet. But if I put it behind something else that forwards traffic to the server then that’s somehow safe!

Security is something you do not something you have. The false sense of security with proxy bullshit like this crappy project is not giving you anything. You’re taking a well supported community project (immich) and installing another app in front of it which appears to be some dude’s personal project and telling me that is more secure. As though that project is better written?

Install immich. Forward ports to it (or proxy it with nginx if needed for hostname routing (but don’t expect this to be more secure)), and keep it up to date and use good passwords.