Itās for the notebook section, not the productivity section.
I just copied the information from the website.
Maybe you missed a post and thatās the one you were going to comment on?
In all cases and posts, Nextcloud is recommended for self-hosting and I am unable to do this.
Furthermore, a quick search on the forum indicates the various problems that exist with Nextcloud self-hosting, apart from the broken E2EE itself reported in the recommendation.
My point is the notebook you mention doesnāt have encryption, so it canāt be in the notebook section. And NextCloud, which is not encrypted, is already in the productivity section, so there is no need for another app there.
Iām not sure what website youāre looking at, as one of the first things on the page is E2EE for sync. And the impression I get from the app is that files are stored locally, so encryption isnāt strictly necessary for privacy when files arenāt kept in the cloud. This app is more like Obsidian or Logseq than Nextcloud.
I have yet to try this out, but I think itās worth looking into.
This doesnāt even remotely meet the standards of PG, why is this being discussed? Never heard of it, as far as I can tell no sec audit, features are lacking, it is in an extremely privacy- hostile jurisdiction, lacking privacy policy, what is encrypted is under disputeā¦
Like, oh my word. This shouldnāt even be floated
IMO the real concerns here are lacking a security audit (havenāt checked thoroughly, so might have missed one) and the pretty much empty privacy policy. Being based in China is a potential concern, but if weāre banning software primarily because of that, there are probably a fairly large number of other countries we should also ban.
Unless Iām mistaken, encryption is not an issue. Syncing is E2EE (literally mentioned first thing on the homepage). They could be doing something wrong (audit would help here), but the presence of encryption should not really be in dispute. Iām also not sure what you mean by it lacking features. I personally think all of the options in the Notebooks section lack features (and/or are otherwise so janky that using them is simply unpleasant).
iāve deployed and used this for a while. itās an interesting one from privacy perspective.
Cons:
opt-out Google Analytics, in official distribution (see below).
keeps phoning home every few hours to check updates/announcements. might be useful for windows users, but mostly irrelevant for mobile, linux, and server deployments.
s3/webdav sync is behind paywall in official distribution, and $64 for using my own infrastructure, without the option to disable unnecessary network traffics is quite expensive. especially compared to mainland price, and after converting to my local currency.
no oidc or 2fa support for server deployments. you must secure with keycloak/kanidm + oauth2proxy or authelia, etc.
not designed for HA. golang kernel locks the remote ādatabaseā each time before syncing.
Pros:
FOSS. under AGPL license. you can easily patch the golang ākernelā to disable updates, google analytics, unlock s3/webdav sync, and more. the developer isnāt totally against it.
E2EE synchronization. I use my own deployment of garage cluster and can confirm this. you must use the same āData repo keyā i.e. encryption key (settings ā about) in all clients.
Disagree. What other tools recommended by PG are developed by a company based in a jurisdiction where the company has to comply with blanket secret orders?
Itās open-source, so as long as it is audited enough, itās not much different than being based elsewhere. Unless youāre just opposed to software with significant and/or frequent contributions by Chinese nationals? Or software where a Chinese national has commit access?
Open-source sure, but the government could force them to introduce a backdoor. Unless you build yourself, the gov could force them to put a backdoor in the Github releases for example.
I am not saying they have done so, but there is the real possibility it could be done in the future.
It really depends the context, but there are plenty of cases where this isnāt a problem, such as for Shadowsocks/V2Ray/etc.
This can happen for any software where a Chinese national is able to release builds. Reproducible builds could help verify that nothing particularly suspicious is going on, but youād be reliant on someone (or something, like an automated pipeline) bothering to build the app to notice. I also donāt think this is an issue exclusive to China, frankly.
Well, with reproducible, this will be quickly detected. And when it is, all trust will be lost.
The issue is China has laws to force companies to do basically any hidden work for the CCP, including backdoor their product.
Any jursidiction which such laws is a dangerous place to get software from. Especially if you are a company because decisions are centralised.
