This is a virus

[jerzydziewierz]

Source code not provided,

Reports of stolen API keys

do not use it

[notDavid]

I've used this app on macOS with a firewall. I've not seen any connections other than to openai.com.

So do you have any evidence for your claim?

[dranusa321]

This is a disaster waiting to happen

[notDavid]

A warning is good since it's not open source, but stating this is a virus is FUD until someone has evidence :-)

[jerzydziewierz]

A warning is good since it's not open source, but stating this is a virus is FUD until someone has evidence :-)

Although you are not exactly wrong,

the American judicial philosophy does not apply here.

On the internet, things are a virus unless proven otherwise.

"It does not open a perma connection to not openai.com when you looked" is not sufficient evidence for it not stealing your key, and then using some other method to exfiltrate it.

[andykras]

it's not a virus, but it's definitely not safe to use.

source code has not been updated since the initial commit https://github.com/lencx/nofwl/commit/693e9216c2cf1f06a0b2fe5588ff3ccc744dac40

fn main() {
    println!("Hello, NoFWL!");
}

[BC79]

Many things wrong - it is not a virus, no, but it is not secure There are ways to lock it you can create a user in linux like no-fwl-user, sudo into it with some variables and limit this user's internet access to openai or
whatever will be the future site. Leave the user's password blank. It needs a home screen for XDG variables so a user without a home won't work.

The problem is that the UID is hardcoded: no-fwl-user@bruno-M4HM87P-00:~$ no-fwl

(no-fwl:8997): dbind-WARNING **: 18:51:14.439: Couldn't connect to accessibility bus: Failed to connect to socket /run/user/1000/at-spi/bus_0: Permission denied

User no-fwl-user has XDG_RUNTIME_DIR=/run/user/1001 My actual user has XDG_RUNTIME_DIR=/run/user/1000 -> so this is clearly wrong.

But what this looks to be a minor issue, the x button on the corner does not work, it just minimises, so to exit you have to go to the menu and press quit or on the command line press ctrl+c to halt the process. Examples of it working:

bruno@bruno-M4HM87P-00:~$ sudo -u no-fwl-user env DISPLAY=$DISPLAY NO_AT_BRIDGE=1 ping -c 1 www.google.com 
PING www.google.com (142.250.200.4) 56(84) bytes of data.
From gigabrix (192.168.1.137) icmp_seq=1 Destination Port Unreachable
ping: sendmsg: Operation not permitted

--- www.google.com ping statistics ---
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms

bruno@bruno-M4HM87P-00:~$ sudo -u no-fwl-user env DISPLAY=$DISPLAY NO_AT_BRIDGE=1 ping -c 1 openai.com 
PING openai.com (13.107.246.64) 56(84) bytes of data.
64 bytes from 13.107.246.64 (13.107.246.64): icmp_seq=1 ttl=57 time=9.99 ms

--- openai.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 9.992/9.992/9.992/0.000 ms

bruno@bruno-M4HM87P-00:~$ sudo -u no-fwl-user env DISPLAY=$DISPLAY NO_AT_BRIDGE=1 no-fwl
[2024-01-18][19:11:14][nofwl::app::setup][INFO] setup
[2024-01-18][19:11:14][utils::fs][INFO] file_read: /home/no-fwl-user/.nofwl/nofwl.conf.json
[2024-01-18][19:11:14][utils::fs][INFO] file_read: /home/no-fwl-user/.nofwl/nofwl.conf.json
[2024-01-18][19:11:14][utils::global_shortcut][INFO] global_shortcut: `Cmd+Shift+N`
[2024-01-18][19:11:14][utils::global_shortcut][INFO] global_shortcut_register

So you can see me pinging google as user no-fwl-user -> failed So you can see me pinging openai as user no-fwl-user -> successfull the last bit is logs from the app.

so create the no-fwl-user(up to you how you do it)

Add the firewall configuration

sudo iptables -A OUTPUT -d openai.com -m owner --uid-owner no-fwl-user -j ACCEPT
sudo iptables -A OUTPUT -p udp --dport 53 -m owner --uid-owner no-fwl-user -j ACCEPT
sudo iptables -A OUTPUT -m owner --uid-owner no-fwl-user -j REJECT

Run no-fwl

sudo -u no-fwl-user env DISPLAY=$DISPLAY NO_AT_BRIDGE=1 no-fwl

[richardstevenhack]

This thing simply does not work. Neither did the original Chatgpt app on openSUSE Tumbleweed. This is most definitely NOT ready for prime time. I'll consider it some day when things like MSTY and Ollama and other USABLE tools are superceded by this thing.