Comment by rvz

5 months ago

In all cases, having zero auth at all [0] even when others want to use it as a service to broadcast across the internet is ridiculous. Leading to problems like this: [1] and now all exposed without any protection.

Even allowing others to change the $OLLAMA_HOST env is a security footgun.

[0] https://github.com/ollama/ollama/issues/849

[1] https://www.wiz.io/blog/probllama-ollama-vulnerability-cve-2...

1 comment

rvz

Reply
Gormo  5 months ago

The idea is that you add an auth layer if that's what you want to do.

The majority of Ollama users at the moment are likely hobbyists working in single-user contexts.

For those who want to deploy it in an organizational setting, it's straightforward to put it behind a pre-existing authenticaton system.