[GH-ISSUE #75] Why is the actual frontend source code missing? (Potential security and licensing violation) #54

New issue

Closed

opened 2026-03-02 15:47:33 +03:00 by kerem · 3 comments

kerem commented

2026-03-02 15:47:33 +03:00

Owner

Originally created by @ISCOzmurph on GitHub (Feb 23, 2026).
Original GitHub issue: https://github.com/PegaProx/project-pegaprox/issues/75

Originally assigned to: @mkellermann97 on GitHub.

While reviewing this project, I noticed several major concerns:

The repository contains only post-build frontend artifacts (a large precompiled/minified index.html) and no actual source code (JS/JSX/TSX, components, build scripts, etc.).
Comments in the backend reference JSX builds and a build pipeline, but none of that source exists in the repo.
This means the published code is not the preferred form for modification, which is required under AGPL‑3.0.

Without the real source, it is impossible for anyone to:

audit the frontend,
verify its safety,
build reproducible artifacts,
or contribute meaningfully.

This raises a serious question:

Was the omission of the real frontend source intentional (obscuring code), or an oversight?

Given that this application handles privileged credentials for Proxmox clusters, transparency is critical. Please clarify:

Where is the real source code for the frontend?
How is the build process supposed to be reproduced by contributors?
Why was only the compiled output committed instead of the actual source?
If this was an oversight, please push the full source tree so the project can be reviewed and contributed to properly.

If this omission was intentional, the project cannot be considered open source despite the AGPL license. In fact, in its current state, you are in violation of your own included license.

Originally created by @ISCOzmurph on GitHub (Feb 23, 2026). Original GitHub issue: https://github.com/PegaProx/project-pegaprox/issues/75 Originally assigned to: @mkellermann97 on GitHub. While reviewing this project, I noticed several major concerns: - The repository contains only post-build frontend artifacts (a large precompiled/minified index.html) and no actual source code (JS/JSX/TSX, components, build scripts, etc.). - Comments in the backend reference JSX builds and a build pipeline, but none of that source exists in the repo. - This means the published code is not the preferred form for modification, which is required under AGPL‑3.0. Without the real source, it is impossible for anyone to: - audit the frontend, - verify its safety, - build reproducible artifacts, - or contribute meaningfully. This raises a serious question: **Was the omission of the real frontend source intentional (obscuring code), or an oversight?** Given that this application handles privileged credentials for Proxmox clusters, transparency is critical. Please clarify: 1. Where is the real source code for the frontend? 2. How is the build process supposed to be reproduced by contributors? 3. Why was only the compiled output committed instead of the actual source? 4. If this was an oversight, please push the full source tree so the project can be reviewed and contributed to properly. If this omission was intentional, the project cannot be considered open source despite the AGPL license. In fact, in its current state, you are in violation of your own included license.

kerem

2026-03-02 15:47:33 +03:00

closed this issue
added the
invalid
label

kerem commented

2026-03-02 15:47:35 +03:00

Author

Owner

@mkellermann97 commented on GitHub (Feb 23, 2026):

Hi @ISCOzmurph ,

Thanks for raising this – totally understand the concern given the file size.

Out of curiosity, did you actually open the index.html.original file? That's the actual source code. It's not minified or compiled – it's a ~48k line single-file SPA (React 18 + Tailwind).

You can read every line. We chose this structure because it makes deployment extremely simple for our use case (single file copy to update). Unconventional? Absolutely. But it's fully readable, commented, and is the preferred form for modification – so there's no AGPL violation here.
That said, the header comment at line 57 already acknowledges: TODO (NS): Split into proper components when we have time – so a more traditional project structure is on the
roadmap.
Closing this as resolved. Feel free to reopen if anything remains unclear.

Regards,
Marcus

@mkellermann97 commented on GitHub (Feb 23, 2026): Hi @ISCOzmurph , Thanks for raising this – totally understand the concern given the file size. Out of curiosity, did you actually open the index.html.original file? That's the actual source code. It's not minified or compiled – it's a ~48k line single-file SPA (React 18 + Tailwind). You can read every line. We chose this structure because it makes deployment extremely simple for our use case (single file copy to update). Unconventional? Absolutely. But it's fully readable, commented, and is the preferred form for modification – so there's no AGPL violation here. That said, the header comment at line 57 already acknowledges: TODO (NS): Split into proper components when we have time – so a more traditional project structure is on the roadmap. Closing this as resolved. Feel free to reopen if anything remains unclear. Regards, Marcus

kerem commented

2026-03-02 15:47:35 +03:00

Author

Owner

@ISCOzmurph commented on GitHub (Feb 23, 2026):

Thank you for clarifying. However, a 30k+ line single HTML file using in-browser Babel compilation is not a standard or maintainable way to distribute a React application. It makes community contribution nearly impossible. I strongly recommend migrating this to a standard Vite or Create React App structure. You're compliant with the letter of your license but not the spirit; Technically compliant, so that's good. At least I can run a scan to ensure you're not injecting malicious code, based on your word that the "original" is actually what's used in your nebulous internal-only build process. I actually don't have any way of knowing that without an arduous deobfuscation and audit.

I've reevaluated and I do not believe you're in compliance with your attached license.

@ISCOzmurph commented on GitHub (Feb 23, 2026): Thank you for clarifying. However, a 30k+ line single HTML file using in-browser Babel compilation is not a standard or maintainable way to distribute a React application. It makes community contribution nearly impossible. I strongly recommend migrating this to a standard Vite or Create React App structure. You're compliant with the letter of your license but not the spirit; *Technically* compliant, so that's good. At least I can run a scan to ensure you're not injecting malicious code, based on your word that the "original" is actually what's used in your nebulous internal-only build process. I actually don't have any way of knowing that without an arduous deobfuscation and audit. I've reevaluated and I do not believe you're in compliance with your attached license.

kerem commented

2026-03-02 15:47:35 +03:00

Author

Owner

@mkellermann97 commented on GitHub (Feb 23, 2026):

@ISCOzmurph you're welcome don't worry it's on our internal roadmap and will come out ETA this Sunday. Feel free to share any security findings with us.

Regards,
Marcus

@mkellermann97 commented on GitHub (Feb 23, 2026): @ISCOzmurph you're welcome don't worry it's on our internal roadmap and will come out ETA this Sunday. Feel free to share any security findings with us. Regards, Marcus

kerem referenced this issue

2026-03-02 15:47:53 +03:00

[PR #55] [MERGED] fix(deploy): skip interactive port prompt when stdin is not a terminal #92