Replies: 13 comments
-
This is fairly concerning. This project has the potential to allow people to actually have privacy while using AI but some of the design choices do not seem to focus on privacy. |
Beta Was this translation helpful? Give feedback.
-
Related #807, To reiterate, WebUI does not make any external connections in operation and everything stays on your machine. Don't trust our word for it; We encourage you to examine/audit our code, and make a PR in case we missed anything. We would not have open-sourced the project if we wanted to be shady about the data collection policy. We would also love to know what part of the code is making this connection, if I had to make an educated guess based on the precedented issue reports, it seems like one of our dependency libraries upstream is making the connection. Feel free to continue your investigation and keep us updated! |
Beta Was this translation helpful? Give feedback.
-
I've intended to communicate my experience in this regard eventually and this ticket is a good opportunity. To date, I've almost exclusively used the Docker container with Podman (self-built and official download). I think I've adequately identified the source of all external network connections I've encountered, which all appear to be entirely legitimate. I've also not yet found anything suspicious in the source code of this project or dependencies (granted I've not performed a full audit 😀 but my first pull request was quickly implemented to disable Chroma telemetry #618). Note that the Dockerfile explicitly attempts to preload models for Whisper and Chroma embedding (via sentence_transformers) during the build process. In my experience, the containers function entirely offline with a startup delay (this is a topic for another discussion and IMHO a ticket is warranted). You can now use the Here are my notes: Connections
Connection initiated here:
There seems to be a problem with
It seems that litellm make a compulsory connection to download this file. Use of LITELLM_LOCAL_MODEL_COST_MAP may be a reasonable mitigation. Testing should be easy enough.
Gravatar is also incorporated but I've yet to encounter any related traffic perhaps due to my choice of invalid email addresses that I use with my Open-WebUI accounts. Of course connections to OpenAI and anywhere else like MistralAI will occur if desired and configured appropriately. |
Beta Was this translation helpful? Give feedback.
-
This IP resolves to a CloudFront Philadelphia address:
I'd wager that this is a Huggingface endoint.
ARIN WHOIS data
|
Beta Was this translation helpful? Give feedback.
-
Maybe you could add a environment variable that explicitly tells it to connect to the internet? This could be added to the getting started command and those who do not want third party services for privacy reasons could simply remove the variables. My initial comment was probably way to harsh but I have noticed that some projects simply do not focus on privacy or ethical issues. That does not make them malicious but is usually a byproduct of the developers not caring about privacy. |
Beta Was this translation helpful? Give feedback.
-
Thanks @lainedfles for the thorough analysis! The part you noted here probably should be looked into @tjbck:
And yes, Gravatar shouldn't be fetched unless you want it to be used by setting so in your profile settings.
|
Beta Was this translation helpful? Give feedback.
-
We've a documented history of taking these matters seriously, but we also rely on others to find and report this stuff. Thank you to everyone for keeping an eye on things. We do try to find this stuff early, but sometimes things get snuck in after they were originally merged. |
Beta Was this translation helpful? Give feedback.
-
I've confirmed that |
Beta Was this translation helpful? Give feedback.
-
It might be worth making this the default |
Beta Was this translation helpful? Give feedback.
-
Nice one @lainedfles ! |
Beta Was this translation helpful? Give feedback.
-
@Darin755 I agree! PR created: #1436
@justinh-rahb Thanks, I'm having a lot of fun with this project, it's fast becoming a new hobby! Thank you for all your knowledge and support. |
Beta Was this translation helpful? Give feedback.
-
Found another HuggingFace connection to download the WhisperModel. See #1499 |
Beta Was this translation helpful? Give feedback.
-
I can't connect to Hugging Face. Every time I start Open WebUI, it takes a long time. When I open the proxy, the startup time shortens. |
Beta Was this translation helpful? Give feedback.
-
What is the purpose of this connection to a remote ip?
Beta Was this translation helpful? Give feedback.
All reactions