Privacy & Security Concerns - Vibe-coding and project Majusb on blitzfc.com belonging to a fake account

[MisterPharaoh]

Dear @vicrodh,

Since the app has released I have been extremely satisfied with this project and the ideas you have so far had for it. Linux was in dire need of a native Qobuz client with lossless playback, that at the same time feels modern and more usable for the average user compared to a program like Strawberry.

I was curious about changing the default gradient for colors in the Spectrum Visualizer Immersive Mode (purple to blue for albums with black and white covers). This led me to browse the source code in the hopes of being able to make changes and maybe even help add a feature to the project. While browsing the source code, numerous things came to my attention that I would like some clarification on, considering this is a program with access to sensitive personal data. For the time being I have uninstalled the program on my PC until the situation is clearer. The questions I had are as follows:

• The commentary in the source-code feels very unnatural and like it was written by a LLM. Would you be able to explain how much AI is being used for the creation of the project, and could you, in addition, also point to your ability to actually verify the code output that the LLM is giving? I am not necessarily against AI, as it can be a useful tool. It would however be worrisome if this project was created solely through prompting an LLM.
• The structure of the project felt somewhat incoherent, with some code features not being in the files or folders that one would logically expect them to be in (I am still unable to find the part of the code responsible for the gradient in the Spectrum Visualizer, for example). I feel like this, along with the presence of many files and folders is a security risk as malicious code would be able to be hidden quite effectively. Is there any hope of a clean-up and reorganization of the code base?
• Finally, on your website blitzfc.com you have listed three projects: QBZ, MajUSB & Tlacuilo. When visiting the page for MajUSB we can see that it is owned by a different account which gives the impression of a bot account (@majusb). Could you explain why this is on your website with projects that should belong to your account? In addition, I have noticed that there is a second account (@victorrhgap) also making commits (responsible for a decent portion of the code base). Why do you use this account instead of the main one?

I am not trying to necessarily make accusations, but would like more information to properly assess the situation at hand, and whether I should reconsider installing the program. Thank you for your time and attention!

[vicrodh]

Hi, thanks for taking the time to review everything. A good starting point is the section at https://qbz.lol/licenses/, where I explain how AI agents are used.

This project started as a hobby, basically a personal implementation of Qobuz because I was frustrated about not having an official client and having a love–hate relationship with Strawberry. So at some point, when I was bored, I decided to use AIs to finish a project that had been sitting on ice. Once I reached a level I was happy with, I just made it public, because if I liked it, chances are more people would find it useful too.

I generally review the code on three levels: human eyes first, Sonar then, and after that then with CodeQL. Obviously, these are more focused on finding security issues than architectural ones.

In that sense, if you dig into the first versions of qbz, you’ll see it has gone through several architecture and refactoring rounds, moving from a monolithic state to a crate-based design on the backend.

On my to‑do list is doing the same with the frontend—which is where the code you’re looking for lives. But it’s an active project in continuous improvement, and unfortunately I don’t have 100% of my time available to move as fast as I’d like, becasue I need to work on my real job, the one that pays the bills. I’ll also mention that @victorrhgap is my work account, which is why more than one commit has come from that user, and it will most likely keep happening.

Also, thanks for pointing out the MajUSB error on the website, thats a plain HTML texti totally AI slop, just because I need to have something in that website in order to create the app entry in Flathub; that was a URL issue and it’s now fixed.

That’s pretty much it. I’ll just repeat that the project is alive and constantly changing. One thing that will not change is its open‑source nature, so you will always have the opportunity to see where everything is, and since it is free software, you are free to modify it, free to use it, or free to not install it at all.

[MisterPharaoh]

Hey again @vicrodh,

Thanks for your extensive reply and the time you took to reply to my message. The love-hate relationship with the Strawberry program is relatable. It's so powerful, but looks severely outdated and has some usabilty quirks. Definitely a different design philosophy when compared to other music players.

Anyways, your comment has assured me somewhat and the usage of AI is definitely not a deal-breaker for me, especially if it helps you save time and focus on your actual job. Your effort on the project so far is appreciated.

I am currently considering whether I should start to learn some coding to help this project out a little bit. I don't really know much currently in all fairness. Would you have a recommendation on a part of the app that a beginner like me could consider modifying/contributing to? Thanks again!