Hey sorry for the delay, dealing with a lot right now, but I didn't forget about it.
1 - Fixed this, the api key is now only forwarded if the destination hostname matches the plugin's stored url.
2 - As I was saying, the allowlist is opt-in by design (null = allow all), and plugins legitimately need to make arbitrary outbound requests. Enforcing it globally would break the plugin system.
3 - Fixed this, it was quite simple
4 - I have added an env var (DEGOOG_DISTRUST_PROXY), if set to true it'll make it so all users share the same rate limit regardless of their IPs, I left it as an opt in as most users currently running it are only keeping it private behind their own in house reverse proxies. This will be handy for a public instance for example
5 - Extension settings modal now correctly sends x-settings-token on save.
6 - As I said, auth is intentionally lax until a more structured auth system is added, may need to be a few weeks after stable is live, after all there's no real auth and the setting password protected and private view should be secure enough as it is
btw all this is not live yet, it'll be sent live with the next release ♥
Thanks, I'll individually look into all of these ♥️
I'll say some of them are more conscious compromises for the sake of an open scalable system where third party extensions can truly edit anything (intentionally) and everything around Auth/secure cookie is also fairly lax due to the fact the Auth is just a protection for the settings (which literally stop the settings from being served by the client), in the moment I decide to add some more structured Auth system/maybe users I'll look into proper secure cookie handling.
This is an awesome report, thank you so much for sharing it!!!
degoog Dev here, definitely not vibecoded.
Would you be able to tell me all these whack of privacy issues? I thought I had everything covered, but if you found something concerning it'd be nice to know before I get it out of beta :)
Whilst you're generally right, Google does not have a history of suing open source projects and they very much care about optics in this specific aspect (at least so far and for now). Whilst I'm not a fan generally, it's undeniable how much they contribute to open source in general :) it's always good to give credits where credits are due as it's the kind of behaviour we want to encourage you know
I think it'd be a very bad look for a company the size of Google to file something against a tiny open source application.
Colors are slightly different, the word "Google" can't be copyrighted and it's an aggregator and not an engine, that said I do want to rebrand before going out of beta, mostly due to this being impossible to find when searching for it 😆
Well yeah, the absolute best way to make sure you get consistent results would be to privately selfhost this of course! There aren't enough public instances yet, hopefully more people step forward ♥️
Ha! I remember!
Yeah I tried to make theming as easy as possible, you'll see if you decide to make a custom theme!
One note about that list, I don't think I'd call "slopware" a project that decides to enable codepilot to initially scan code reviews 😆 that's what it says next to searxng, that list feels a little too strict and almost having some sort of agenda, I'd say 80% of the internet should be in there if we go by these criterias lol
I learned about whoogle the other day from a tweet, very different tech and principles overall, this is more of an alternative to searxng, but regardless, alternatives make the internet a better place ♥️🫡
Hey, not sure what you mean, it works perfectly fine as rootless.
Are you using docker or podman? Someone else had this issue with podman and we couldn't figure out why it was different for them.
Everyone else is running this as user 1000, which is what the standard compose requires?
YES please, if you could let me know if you figure this one out it'd be great, especially if it's due to podman so I can send a message in my discord for the other user who was struggling with it :)
Aw thank you so much for giving it a try and leaving such a nice feedback ♥️
I am searching in a slightly different way than searxng, can't promise it'll work forever but for now it seems to be doing the trick ♥️ I have some more improvements to the search system coming with the next release as Bing does get blocked quite often for me.
P.s. have you been using any extensions? If so what's your fave so far? Haha
The issue with GitHub alternatives is the lack of runners/pipelines and restricting functionalities.
Gitlab is a good alternative but I use it for work and having two accounts juggling between work/personal projects is a recipe for disaster.
I spent a bit of time on codeberg and I am checking it out, happy to push the repo there too, but they don't seem to provide pipeline options, so I wouldn't be able to build the docker image there like I do on GitHub :)
Btw whilst I do believe into the whole Microsoft scraping projects to train AI regardless of licenses, I wouldn't say they are hostile towards open source. They actually are extremely for it, vscode is free and one of the best IDEs out there for example, GitHub free plan is VERY generous and they have a whole FREE coding academy with extremely in-depth courses on how to learn programming and various niche topics. And they integrated wsl to seamlessly run Linux commands within windows, which I never thought I'd see happen (been there for years, but I'm just giving you examples).
Thank you!
I mean, I am not trying to compete with Google, maybe when I release out of beta I'll let the community that's slowly creating around it decide a new name, we'll see ♥️ wouldn't be the first time I do that with my apps :)
Thank you so much!!
Let me know if you run into any issue, it's fairly stable for a beta, but I'm sure there's a ton of quirks that still need sorting ❤
Hey sorry for the delay, dealing with a lot right now, but I didn't forget about it.
1 - Fixed this, the api key is now only forwarded if the destination hostname matches the plugin's stored url. 2 - As I was saying, the allowlist is opt-in by design (null = allow all), and plugins legitimately need to make arbitrary outbound requests. Enforcing it globally would break the plugin system. 3 - Fixed this, it was quite simple 4 - I have added an env var (DEGOOG_DISTRUST_PROXY), if set to true it'll make it so all users share the same rate limit regardless of their IPs, I left it as an opt in as most users currently running it are only keeping it private behind their own in house reverse proxies. This will be handy for a public instance for example 5 - Extension settings modal now correctly sends x-settings-token on save. 6 - As I said, auth is intentionally lax until a more structured auth system is added, may need to be a few weeks after stable is live, after all there's no real auth and the setting password protected and private view should be secure enough as it is
btw all this is not live yet, it'll be sent live with the next release ♥