librelad a27304a191 fix(distribution): harden the artifact apply pipeline (adversarial review)
A 4-lens adversarial security review of the Phase 2 applier raised 19 issues
and confirmed 17 after per-finding verification. All are trust-boundary (they
require the signing key), but several break the explicit "no code-exec, always
reversible, nothing-silent" contract, so all 17 are fixed:

Trust path — fail CLOSED, never misreport:
- lpFetchIndex now surfaces the real signature state (LP_INDEX_SIGSTATE);
  artifactApply REFUSES to mutate unless the index is actually verified, and
  _artifactFetchPayload refuses an unsigned payload. The read path still
  tolerates dev/unsigned but now says "UNSIGNED" instead of "Signed + verified".
- valid_until and index_serial are now MANDATORY + numeric in lpFetchIndex
  (missing = refuse) — closes the anti-withholding / anti-rollback fail-opens.

Injection / code-exec (defense in depth even for a signed payload):
- runFileWrite rootless branch no longer builds a `bash -c` shell string with the
  destination interpolated — it uses the argv form (like runFileOp), so a path
  with a quote can't inject a command as the install user. (shared-helper fix)
- op paths must match a safe-filename charset (no quotes/$/backtick/;/newline);
  set-config-key values and set-compose-image refs are charset-guarded too.
- content_b64 is validated as real base64 at precheck.

Reversibility / honest failure:
- dockerComposeUp now returns the real compose exit status (it always returned 0,
  so the updater's rollback gate AND the apply's start-failure detection were
  fail-open). (shared-helper fix)
- set-config-key undo captures the WHOLE config file (lossless) instead of a
  lossy re-parsed scalar; edit-only (rejects an absent key).
- _artifactReplayUndoFile returns non-zero if any inverse op fails; auto-rollback
  and revert now record "rollback-incomplete"/"revert-incomplete" + isError
  instead of falsely claiming success, and revert keeps the record for retry.
- applied-record write failure is checked — apply rolls back rather than leave an
  un-revertable change. System-scope regen failure is no longer swallowed.
- Writes are path-aware (configs/ -> runInstallWrite, container tree ->
  runFileWrite) so system-scope hotfixes write/restore correctly.
- Checked lazy-sourcing surfaces a clear error instead of a bare exit 127.

Unit-tested 35/35 (adds: command-sub value rejection, bad image-ref, invalid
base64, quote/metachar path-injection rejection, replay-failure reporting).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-31 20:47:18 +01:00
2026-05-21 20:37:54 +01:00

LibrePortal

Your own private corner of the internet — free, open, and yours.

LibrePortal is a self-hosted platform for running the apps you rely on, on your own server: one-click installs, a reverse proxy with automatic SSL, rootless Docker, optional VPN routing, and a clean web dashboard to manage it all.

⚠️ v0.1.0 — early days. Expect rough edges while things settle.

Why LibrePortal

Too many services today treat your data as theirs to take — quietly overstepping boundaries that should never have been crossed. LibrePortal grew out of frustration with that: it's a way to run the apps you depend on on your own server, where your data stays yours. Privacy here isn't a feature to toggle — it's the whole point.

Free & open — forever

The entire platform is free software under the GNU AGPLv3. Self-host it and you get everything — every feature, no paywalls, no telemetry. See our Promise for exactly what that means.

What you get

  • 📦 One-click self-hosted apps (Nextcloud, Vaultwarden, Jellyfin, Gitea, …)
  • 🔀 Traefik reverse proxy + automatic Let's Encrypt SSL
  • 🔒 Rootless Docker, CrowdSec, sane security defaults
  • 🛡️ Optional VPN routing (gluetun) for any app
  • 🖥️ A web dashboard to install, configure, back up, and monitor everything

Quick start

curl -fsSL https://get.libreportal.org/install.sh | sudo bash

This installs a versioned, checksum-verified release (Debian/Ubuntu, root). Put data on separate disks with --system-dir= / --containers-dir= / --backups-dir=.

The get.libreportal.org host is still being set up — until it's live, build a release and install from it locally (see the docs below).

Documentation

LibrePortal Connect (optional)

Self-hosting is free and complete. If you'd rather not fiddle with the tricky parts — like reaching your server from your phone, or keeping off-site backups — LibrePortal Connect will handle them for you. Here's the catch that makes us different: we work like a courier carrying a sealed box. We move your data between your devices and store backup copies, but it stays locked and you hold the only key — we can't open it, and we never run your apps for you. Everything we offer, you can also set up yourself for free. Our Promise spells out exactly where that line sits.

Contributing

PRs welcome — see CONTRIBUTING.md. We use a lightweight DCO sign-off (git commit -s), no CLA.

Acknowledgments

LibrePortal has been built from scratch since 2023. Its spark of inspiration was a small installer script from Brian McGonagill (OpenSourceIsAwesome): gitlab.com/bmcgonag/docker_installs. From that seed it grew start to finish — refined, extended, and refactored into the platform it is today.

License

GNU AGPLv3. What's open stays open.

Description
No description provided
Readme AGPL-3.0 12 MiB
Languages
Shell 45.2%
JavaScript 38.5%
CSS 11.6%
TypeScript 3.1%
HTML 1.5%