Arch Linux User Repository

You’re making this more complicated than it needs to be.

This was a small student project, completely open source, and now outdated. Everything is transparent. The hash is a one-way SHA256, which helps avoid counting the same machine multiple times. It doesn’t collect identities, IP addresses, or personal information.

Anime titles were logged for basic debugging and to get insights on usage during development; they were not used to create “watch history profiles.” There is no dashboard that reveals individual users.

Authentication protects the endpoint from misuse. The Next.js build files are leftover development artifacts, not a hidden tracking tool.

If you believe that analytics should have been opt-in or documented better, that’s a valid point. However, describing this as a malicious tracking system is simply wrong.

The code is public. Anyone can read it or edit it. The tool itself is open source and aimed at developers, not the general public.

Let me get this straight. You are calling my comment AI generated and unprofessional?

Meanwhile: 1.You claim this is "anonymous usage metrics" But platform.node() literally returns the computer network name on the network. That not anonymous, Combined with a persistent SHA256 hash this is a tracking ID full stop. 2.You said data is only "platform type and general usage frequency" So why is the code sending specific anime titles and episode numbers? That not "general usage" that building a watch history profile. 3.If this was just for "monitoring stability" why does it need authentication? What exactly are you protecting if the data is so benign?. 4.You expect anyone to believe a CLI tool accidentally includes a complete compiled Next.js application with routing, chunks, and build manifests? What is the web interface for @np4abdou1? Is it a dashboard to view the "anonymous" watch histories you are collecting?. 5.You implemented a singleton to ensure the fingerprint persists across the entire application. This was deliberately designed to track users across sessions. Calling my analysis "AI generated" doesnt make the code disappear The code speaks for itself. You built a tracking system into an anime streaming tool and now you are attacking anyone who points it out.

The open source community deserves better than gaslighting.

Replying to @mickael_002:

First, your comment is clearly AI-generated, which is already unprofessional when making serious accusations. Copy-pasting a generic security analysis without understanding the context of the project does not strengthen your point.

This is a deprecated student project, built by two college students for learning purposes. It is not a commercial product, it is not seeking users, and it is no longer maintained. Framing it as malicious software is misleading.

Regarding data collection: yes, the application collects analytics, and this is not hidden. The generated hash is used only for anonymous usage metrics, not for identifying real people. There is no access to user identities, IP addresses, names, or personal viewing behavior in any human-readable way. Data is viewed in aggregate, such as platform type and general usage frequency.

The remote requests exist solely to monitor basic app usage and stability. The authentication key is there to protect the endpoint from abuse, not to obscure activity. No third parties have access to this data, and nothing is sold or monetized.

As for the frontend assets, they are a byproduct of the development stack used during the project. Including a web interface does not imply secret tracking, hidden dashboards, or additional data collection beyond what is already visible in the code.

Accusing a deprecated, open student project of being “very questionable” without acknowledging its educational nature and lack of maintenance is irresponsible. If this project were intended for invasive tracking, it would not be open-source, transparent, or abandoned.

1. Fingerprinting components = [ platform.node(), # user computer's hostname platform.machine(), # CPU architecture platform.system(), # OS name platform.release(), # OS version platform.processor() # CPU model ] This creates a unique SHA256 hash of user system. A fingerprint that identifies user machine across sessions.
2. Data Collection Every time user: Start the app (track_app_start) Play a video (track_video_play — with anime title and episode) It sends: -user fingerprint -Timestamp -What user watched -user OS details
3. Phone Home requests.post(f"{endpoint_url}/monitor", json=payload, headers=headers) To a remote server. With an auth key.
4. The "Opt-Out" Illusion if not settings.get('analytics'): return It claims to check if user opted in But: Is analytics on by default? Does the user know this exists? Where's this documented? and let not mention the bloat A whole frontend framework for a CLI tool? Why? _next/static/chunks/ — JavaScript bundles, CSS files, source maps index.html, 404.html, _not-found/ — A complete web interface, compiled and included favicon.ico, SVG icons — Branding assets vercel.svg — Deployment platform logos Turbopack chunks — Build tool artifacts With monitoring.py collecting fingerprints and watch history, and a whole web interface included What's the web interface for? Where's that data going? Who has access? What else is being collected? very Questionable