Security Issues

[arr219p]

The software has some serious issues:
The software does not have any type of security for unauthorized users.
the web address is not encrypted
There are no user login requirements - it's completely open.

I was going to recommend this software for my companies library of over 45000 ebooks, but no security... Will these issues be addressed in the near future?

[ownedbycats]

https://calibre-ebook.com is https and has a valid certificate. wtf are you on about?

and user login requirements - other than the server (where it does exist), why is that needed?

also, see this:
https://bugs.launchpad.net/calibre/+bug/2011811

Quote:

If you have something specific to say beyond "cripple your application
in arbitrary ways to make me happy while I wave around the security
word", feel free to post further, otherwise kindly dont waste my time.

Quote:

Book HTML is displayed inside a sanboxed by the browser iframe which is
itself run inside a sandboxed by the OS chromium process. I made a whole
lot of design decisions that greatly complicated the viewer code for the
sake of security. Barring bugs scripts in books have no access to
anything on your system.

There are no known security issues in the calibre viewer that are not
also present in chromium itself. In other words, reading books is at
least as safe as browsing the internet (slightly safer because of the
sandboxed iframe).

[Quoth]

I think the OP means the Calibre program.

It's not a library system for a lending library! There is no tracking of loans or user database. There is no concept of loans, checkout or borrows.

It's for one user on Mac, Windows or Linux to organize and manage ebooks on an ereader, or less well, an app on a phone, though people have used it to catalogue other things.

It's primarily a single user catalogue (metadata in SQLight, so one user). The catalogue metadata can be edited. It stores an imported copy of an ebook in a separate local file structure (NAS, cloud, Shares are not supported). There is a LOCAL LAN web server for personal convenience instead of Send to Device via USB or Save to Disk (Devices that don't behave well). Also separate is a viewer and editor.

Since all the files are in sub folders of Calibre Library folder and the metadata & catalogue is in an SQLight file and single user any GUI password would be irrelevant.

The Web Server shouldn't be shared outside of a trusted LAN and AFIAK it has an option for a password.

This is NOT a library system, nor a document management system in the common sense of public libraries, video libraries or corporate document archives.

[DNSB]

Quote:

Originally Posted by arr219p

The software has some serious issues:
The software does not have any type of security for unauthorized users.
the web address is not encrypted
There are no user login requirements - it's completely open.

I was going to recommend this software for my companies library of over 45000 ebooks, but no security... Will these issues be addressed in the near future?

Considering that calibre is designed and intended as a single user system for managing ebooks, why would it need to have the level of security you are whinging about? When you open a program on your computer, say your favoured web browser, does it require you to authenticate before you can use it?

The web interface can be configured with users but not something that most people do. You can also configure the web interface to use https but considering that for most people, it is intended for use on their home network and not exposed to the outside, not a real pressing need.

If you want a corporate library system, there are several of them out there. All the ones I am familiar with do have a cost involved. Have you looked at any of them? A quick search on 'integrated library system' or 'library management system' should give you a fair number of options to check out.

And BTW, it's Kindle not kindel.