Ive been looking for something to help the navidrome server do its thing, and this looks awesome, but there is one issue that was just opened and closed yesterday, it looks a little sus?
how does one go about digging through and discovering if this is malicious or not?
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters DNS Domain Name Service/System IP Internet Protocol SSL Secure Sockets Layer, for transparent encryption TLS Transport Layer Security, supersedes SSL
3 acronyms in this thread; the most compressed thread commented on today has 21 acronyms.
[Thread #985 for this comm, first seen 6th Jan 2026, 03:35] [FAQ] [Full list] [Contact] [Source code]
It’s a dumbass AI-powered recommendation engine with an awful GUI. That’s about it.
As far as it being malicious, that’s really up to you.
Looks like on Reddit, the creator is blocking people from reporting things like sending data to foreign servers.
That was the red flag for me personally in terms of giving it a try. At the first accusation they said “the code is there, I have nothing to hide” (which is entirely fair) but then it devolved into (paraphrasing) “I took down issue reporting because people kept abusing it.”
So assuming the best case scenario where the code is clean and it’s just a misunderstanding you’re still looking at a creator who is willing to censor the community they simultaneously seem particularly eager to reach by self-promoting their project. Not my jam.
the closed issue speaks of that!
Edit:
also thanks for braving reddit for us!
I had starred it but I just don’t need that much of a stack for music suggestions. Mysql and redis? Just seems like massive overkill.
Sonobarr is ugly but it’s footprint is the same as my fuckin log viewer and it just pulls from lidarr/lastfm/listenbrainz. It’s got an “AI” option disabled by default but i didn’t use that.
This was posted here yesterday by the dev. Overall the reaction seems positive.
A quick look through the repo it looks pretty legit, it’s a lot of effort to create something that works, with all the documentation (including a lot of planning docs) just to collect data on you. Traffic to various IPs, foreign or otherwise, wouldn’t really be odd for an app like this either. You could try and run it through something like virustotal though to look for malicious code (there are more than a few docker scanning tools on GitHub that use virustotal).
Just use Last.fm
funny recommendation in a selfhosted community
Fair, but I haven’t found anything that is useful whatsoever that I can self host.
I used lastfm until about 2015, listenbrainz is way better.
Last.fm is complete trash now that it’s under new ownership. They will not listen to users who point out that artists with the same name are mixed into one artist.
Biosphere is one example, check the shouts. No one wants to hear terrible chiptune music when they’re trying to listen to ambient.
I think the author literally released it like 2 days ago which is why there’s no issues or prs yet.
I installed it yesterday and have only fiddled around a little bit. I like that it pointed out a bunch of health issues with my Lidarr library and have been stuck on a side quest dealing with those.
If you want to explore it and see if anything seems malicious to you, I’d focus on code making requests, and review the sub-dependencies to see if any look sus. It should live entirely in your network and shouldn’t be making any external requests outside your server apart from the connections you set up (like last.fm).
the reason i pumped the brakes, was an issue filed yesterday by a brand new user and closed by the owner. asking why it was sending a bunch of network requests somewhere random. then it was edited for content and the name of the issue was changed by the owner and closed.
my spidey sense pricked up? but I’m just an old stoned n00b so i wanted to hear what the old stoned wizards thought
Issue in question: https://github.com/aquantumofdonuts/mixarr/issues/7
Welp, that issue has “officially” been deleted, as well as a followup issue asked by another person asking about that first issue feeling fishy.
While a full ‘deletion’ of such an issue is certainly unfortunate, I can kind of see how it gets to such a decision point.
You’re creating some software in the open, decide to ping some communities on reddit/lemmy and all of a sudden it seems like a disgruntled brigade is breaking down your door while you just wanted to show them the garden.
What for us looks like earnest sleuthing can feel like abuse/harassment from the other side simply due to the asymmetrical nature of the internet.
Would have probably still preferred a closed issue instead, but having a couple ‘niche-successful’ repos on github myself - I can at least certainly empathise.
I understand recommendations, but I don’t want anything just auto inserting music into my library. I curate my library. I want to intentionally add to it. Half the joy in finding new artists is whatever led you to that moment.
This might just be an old man talking though.
