Argos Translate security

I’ve had a few people reach out to me to ask how secure Argos Translate is.

I try to take security seriously; but of course all software has bugs. To my knowledge, to date, no one has found a serious security vulnerability in Argos Translate or LibreTranslate. It’s probably inevitable though that ArgosTranslate/LibreTranslate or one of its dependencies will have a security vulnerability at some point.

Several people have also specifically asked me about when Argos Translate will make a network connection. When you install Argos Translate you connect to PyPI servers to download the Python package and all of the dependencies. Then when you update the package index in Argos Translate it will make a GET request to GitHub to get the JSON file with package metadata. Then Argos Translate will download the .argosmodel packages from Cloudflare R2. After you have downloaded the language packages all translation is done locally so you no longer need an internet connection. It’s also possible some of Argos Translate’s dependencies make network connections, and I haven’t done any profiling to test if they do.

I think it would probably be easy for someone snooping on your network connection to tell that you are using Argos Translate but it would be difficult for them to see what content you’re translating. Barring hardware weirdness any content translated with Argos Translate should no longer be accessible after the program has been cleared from RAM.

1 Like

If you want to security harden a LibreTranslate installation you can disable functionality you aren’t using with these configuration flags:

--disable-files-translation
--disable-web-ui
2 Likes

I have a background in security; asking “how secure” something is is odd. Secure in what sense? Do we have an audit team? Do we keep all the dependencies up to date? Do we perform fuzzy testing on all the inputs? Do we download only from a single trusted source (we do)? Do the people with write access to the sources run up to date software?

It’s open source. The AGPL says:

  15. Disclaimer of Warranty.

  THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
ALL NECESSARY SERVICING, REPAIR OR CORRECTION.

So in short: security is always taken very seriously and as far as we know, it’s solid. But no guarantees. People that require certain guarantees, should be ready to pay for specifics (an audit? A dependency update?, etc.)

1 Like

I had someone reach out to me a few months ago who was hired to do a security audit of some sort by a client who wanted to use LibreTranslate. I’m not sure what you would want to do for a security audit but some people may need certifications of some sort for compliance reasons.