Gave it a quick shot right now, and gonna be honest - while the premise seems nice, the sample project is very transparently AI slop generated with a prompt that, I can only assume, included an instruction like “for every sentence that doesn’t include a whimsical quip, I’m gonna kill a kitten”. It is absolutely grating to read. I don’t care if you do that in your marketing copy, but keep that shit out of technical documentation, it’s annoying, it’s distracting, and it’s turning me off the entire project. Like wtf is this:

Well but distributed != federated. Which is why Forgejo is currently working on a federation feature.

The company that employed the core Immich devs about a year ago to give them a full-time salary to keep working on Immich. Founded and funded by a millionaire whose stated goal is to try and make a viable business model out of software that doesn’t abuse its users

e2ee would be important if youre uploading files when away from your local network

Even without e2ee or a VPN, just plain old HTTPS should be enough to secure that part, or am I missing something?

even if you steal my password (database)

That’s a big leap you’re doing there, equating stealing a password to stealing a password database. Those are very different. Stealing a password can be done through regular phishing, or a host of other methods that don’t require targeted effort. Stealing a password database, if properly set up, is a lot harder than that. It depends of course on what password manager you’re using, but it usually involves multiple factors itself. So equating that to just a password, no matter how strong and random, is just misleading.

Mind you, I agree that it’s less secure than “proper” MFA, and I’m not saying that everybody should just use MFA through a PW manager. I am using physical security keys myself. But for a lot of regular people that otherwise just couldn’t be bothered, it’s absolutely a viable alternative that makes them a whole lot safer for comparatively little effort. Telling them they just shouldn’t bother at all is just going to create more victims. There is no such thing as perfect security, and everyone has a different risk profile.

More like 1.5FA, at least. It still protects against passwords being compromised in any way that doesn’t compromise full access to your password database, which is still a lot better than using just passwords without a second factor.

You might have to sign out and then in again. There was a bug with the initial release that caused this kind of behavior