mjj

MJJ的博客

VPS/小鸡/杜甫/大盘鸡/吃灰/传家宝,分享各种资源和技术!
HomeRackNerd特价VPS高性价比机场Archives

The well-known open-source project AList has been sold, and the new owner's dark history has been exposed: your cloud storage may have become a "zombie" machine.

53
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The popular open-source project AList, a cloud storage aggregation tool, has reportedly been sold, leading to significant concerns within the community. Users noticed changes such as the official domain switch and modifications to documentation that included commercial elements. The original developer, Xhofe, has been silent and only provided a vague response about the project's transition to company management, raising suspicions about the sale's details and the future of the project. The acquiring company, Guizhou BuG Technology, has a controversial history of practices perceived as detrimental to open-source integrity, including injecting malicious code into other projects. This has led to fears that AList will undergo similar changes, such as pushing paid versions and limiting open-source functionalities. In response to the crisis of trust, the community is taking action by halting updates, forking the project, and isolating sensitive data to mitigate risks associated with the potential commercialization and control of the code.

Famous open-source project AList sold

Sudden Sale: The Silent "Defection" of a Star Project#

Just in the past few days, explosive news has emerged from the open-source community: The cloud storage aggregation tool Alist, with 49.8K Stars, has been sold in its entirety.

The incident was triggered when users discovered that its official domain quietly changed from alist.nn.ci to alistgo.com, the Chinese documentation was extensively modified, and new commercial content (such as VIP technical support QQ groups and paid pricing strategies) was added, while the original developer Xhofe suddenly disappeared from all communities and remained silent for a long time.

What further alarmed users was the appearance of a device data collection module in the newly submitted code (which was later urgently withdrawn due to community protests), and the desktop download link even pointed to Tencent Cloud COS storage (which was banned due to copyright infringement). These unusual actions are contrary to the transparency of open source and quickly ignited community skepticism.

Original Developer's Response: A "Limited Commitment" After Silence#

In response to the community outcry, original developer Xhofe first responded on June 11, but the content of the statement sparked even greater controversy:

"The project has been handed over to a company for operation, and I will help review the code in the open-source version repository to ensure that releases are automatically built by CI, the main branch has been protected, and subsequent submissions will require PR review."
Famous open-source project AList sold 2

This response was criticized for being evasive:

  1. Did not deny the sale, only vaguely acknowledged the "handover to company operation";

  2. Did not disclose transaction details, the identity of the acquirer, the amount, and the ownership of user data were not explained;

  3. Doubtful review authority: The so-called "helping to review" was strongly questioned regarding whether it has actual binding power, with some netizens joking: "They wouldn't have sold the account too, would they?"

Did not deny the sale, only vaguely acknowledged the "handover to company operation";

Did not disclose transaction details, the identity of the acquirer, the amount, and the ownership of user data were not explained;

Doubtful review authority: The so-called "helping to review" was strongly questioned regarding whether it has actual binding power, with some netizens joking: "They wouldn't have sold the account too, would they?"

The community is concerned that the founder's actions are actually paving the way for commercialization, while the promise of "branch protection" is unlikely to withstand capital-driven control over the code.

Exposing the Acquirer: The "Poisoning Black History" of Guizhou BuG Technology#

The acquirer, Guizhou BuG Technology, has become the focus of public opinion, with its past operations being described as a "trust killer" in the open-source community:

To avoid complaints about the article, the name of the new owner company is omitted. It's easy to find out. 🐶

Famous open-source project AList sold 3

Controversial acquisition history and poisoning suspicions

  • Hutool Toolkit: After the acquisition, it frequently pushed abnormal updates, reported by developers to have "unnecessary dependency injection," suspected to be for bundled promotion or backdoor paving;
  • LNMP One-Click Installation Package: A company in Jinhua (suspected to be related to BuG Technology) implanted malicious scripts after acquisition, secretly collecting server information, later intercepted and exposed by a security company;
  • Oneinstack: Also caught in the "silent update carrying private goods" storm, users pointed to its "supply chain poisoning model."

Hutool Toolkit: After the acquisition, it frequently pushed abnormal updates, reported by developers to have "unnecessary dependency injection," suspected to be for bundled promotion or backdoor paving;

LNMP One-Click Installation Package: A company in Jinhua (suspected to be related to BuG Technology) implanted malicious scripts after acquisition, secretly collecting server information, later intercepted and exposed by a security company;

Oneinstack: Also caught in the "silent update carrying private goods" storm, users pointed to its "supply chain poisoning model."

The company commonly employs a four-step strategy of "acquisition → modifying documentation → pushing paid services → closing source":

  • Modifying the project homepage to strongly promote its own products (such as the addition of Vi**ub ads in this Alist documentation);
  • Rapidly launching a paid version (AList desktop version priced at 39.99 yuan);
  • Restricting open-source features and shifting core services to private APIs (such as the api.nn.ci service that Alist relies on may be discontinued in the future).

Modifying the project homepage to strongly promote its own products (such as the addition of Vi**ub ads in this Alist documentation);

Rapidly launching a paid version (AList desktop version priced at 39.99 yuan);

Restricting open-source features and shifting core services to private APIs (such as the api.nn.ci service that Alist relies on may be discontinued in the future).

Some netizens pointed out: This kind of operation is essentially "open-source hijacking," achieving user data monetization by controlling the infrastructure.

Community Self-Rescue: Forking and Defense Guidelines#

In the face of systemic trust collapse, users are taking multiple actions:

  1. Pause updates: Many tech media outlets are calling for freezing the Alist version until before v3.40.0 to avoid supply chain poisoning risks;
  2. Forking rebirth: Core contributor xrgzs has initiated a Fork project (referred to by the community as the "Slave Uprising"), with alternatives like Zfile gaining popularity;
  3. Data isolation: It is recommended to unlink sensitive cloud storage accounts and enable independent API keys to reduce reliance on centralized services.

Pause updates: Many tech media outlets are calling for freezing the Alist version until before v3.40.0 to avoid supply chain poisoning risks;

Forking rebirth: Core contributor xrgzs has initiated a Fork project (referred to by the community as the "Slave Uprising"), with alternatives like Zfile gaining popularity;

Data isolation: It is recommended to unlink sensitive cloud storage accounts and enable independent API keys to reduce reliance on centralized services.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.