Hey HN, supply chain evaluation question:<p>There is this awesome desktop app called chatbox: https://chatboxai.app/ <- which I've been using for about 3 months now; essentially, it's a desktop front-end for chatgpt API with very good local search across all previous conversations.
Two red flags:<p>* 1, https://github.com/Bin-Huang the author is Chinese, from China, working at Tencent.<p>* 2, As many other desktop apps, this also auto-updates; however:<p>* https://github.com/Bin-Huang/chatbox/issues/803 he had, essentially, started distributing binary-only updates, and the source code on github no longer reflects the actual app that is automatically downloaded to my computer<p>This is sus. How sus is it. Specifically: the attack vector I'm querying for is supply-chain attack via the auto-update mechanism. This thing has 20K stars on github, and around ~250K visits on their website (15% of this from the US = ~36K US visits per month;) probably predominantly devs. This is a <i>very</i> juicy target.<p>(Alternatively, and instant-upvote: looking for a desktop frontend for chatgpt API which has built-in full-text search for 2mb of plaintext, and integration for the full suite of LLMs currently available on the market, from a reliable source, for windows please.)