FOSS / Open-Source Apps Worth Highlighting

FOSS / Open-Source Apps Worth Highlighting

• Ente — AGPL-3.0 — https://ente.com — source: GitHub - ente-io/ente: 💚 End-to-end encrypted cloud for everything. · GitHub — latest release observed: photos-v1.3.40, 2026-05-08.

• End-to-end encrypted cloud for photos, files/secrets/auth-style use cases; hosted service plus open server/client code.

• Why care: polished privacy-first alternative to Big Tech photo backup; good “usable crypto” story.

• Status: self-hostable but many listeners will use hosted; active repo.

• Caveats: self-hosting a full photo cloud is operationally heavier than a simple app.

• Immich — AGPL-3.0 — https://immich.app — source: GitHub - immich-app/immich: High performance self-hosted photo and video management solution. · GitHub — release observed: v2.7.5, 2026-04-13; pushed

2026-05-11.

• High-performance self-hosted photo/video management with mobile auto-backup.

• Why care: closest FOSS/self-owned Google Photos replacement.

• Status: self-hosted.

• Caveats: stores your media on infrastructure you maintain; upgrades/backups matter.

• SimpleX Chat — AGPL-3.0 — https://simplex.chat — source: GitHub - simplex-chat/simplex-chat: SimpleX - the first messaging network operating without user identifiers of any kind - 100% private by design! iOS, Android and desktop apps 📱! · GitHub — latest release observed: v6.5.0,

2026-04-30.

• Secure messenger designed without persistent user identifiers.

• Why care: a compelling answer to metadata leakage in messaging.

• Status: mobile/desktop apps; can operate with relay infrastructure; self-hosting possible for servers.

• Caveats: smaller network than Signal/WhatsApp; explain UX/tradeoffs.

• Molly — AGPL-3.0 — source: GitHub - mollyim/mollyim-android: Enhanced and security-focused fork of Signal. · GitHub — latest release observed: v8.7.3-2, 2026-04-29.

• Security-focused Android fork of Signal.

• Why care: familiar Signal protocol with hardened Android choices.

• Status: client app; still depends on Signal network.

• Caveats: Android-only; unofficial fork means trust/update model should be discussed.

• Orbot — license not cleanly detected from GitHub page — https://orbot.app / source mirror: GitHub - guardianproject/orbot-android: The Github home of Orbot: Tor on Android (Also available on gitlab!) · GitHub —

beta release observed: 2026-05-05.

• Tor proxy/VPN-style routing for Android.

• Why care: practical mobile privacy and censorship-resistance tool.

• Status: local mobile app using Tor network.

• Caveats: Tor can be slow or blocked; threat-model-dependent.

• Rethink DNS + Firewall — Apache-2.0 — https://rethinkfirewall.com — source: GitHub - celzero/rethink-app: DNS over HTTPS / DNS over Tor / DNSCrypt client, WireGuard proxifier, firewall, and connection tracker for Android. · GitHub — repo pushed 2026-05-10.

• Android firewall, DNS-over-HTTPS/DNSCrypt/DNS-over-Tor, WireGuard/proxy tooling, connection tracker.

• Why care: one of the best “see and control phone network traffic” apps.

• Status: local Android app; optional resolver/service use.

• Caveats: latest GitHub release page looked older than repo activity, so verify preferred distribution channel before citing version.

• Mullvad VPN app — GPL-3.0 — https://mullvad.net — source: GitHub - mullvad/mullvadvpn-app: The Mullvad VPN client app for desktop and mobile · GitHub — latest observed: android/2026.5,

2026-05-07.

• Open-source desktop/mobile VPN client from privacy-focused provider.

• Why care: account-number/no-email model, good privacy reputation, open clients.

• Status: local client + paid VPN service.

• Caveats: VPNs shift trust; not anonymity magic.• NetBird — license mixed/NOASSERTION in GitHub API — https://netbird.io — source: GitHub - netbirdio/netbird: Connect your devices into a secure WireGuard®-based overlay network with SSO, MFA and granular access controls. · GitHub — latest observed:

v0.70.5, 2026-05-05.

• WireGuard-based private overlay network with SSO/MFA/access controls.

• Why care: self-hostable secure remote access alternative to traditional VPN sprawl.

• Status: self-hostable or cloud.

• Caveats: license/commercial boundaries deserve checking before “pure FOSS” framing.

• Headscale — BSD-3-Clause — source: GitHub - juanfont/headscale: An open source, self-hosted implementation of the Tailscale control server · GitHub — latest observed: v0.28.0, 2026-02-04.

• Self-hosted implementation of the Tailscale control server.

• Why care: sovereignty for tailnet-style WireGuard networks.

• Status: self-hosted control plane; uses Tailscale clients.

• Caveats: not all Tailscale SaaS features; operational complexity.

• AdGuard Home — GPL-3.0 — AdGuard Home | Network-wide software for any OS: Windows, macOS, Linux — source: GitHub - AdguardTeam/AdGuardHome: Network-wide ads & trackers blocking DNS server · GitHub —

latest observed: v0.107.74, 2026-04-16.

• Network-wide DNS ad/tracker blocker.

• Why care: easy win for household privacy and visibility.

• Status: self-hosted/local network.

• Caveats: DNS blocking is not a complete tracker solution; needs allowlist tuning.

• Pi-hole — license not detected by API page, project is open-source — https://pi-hole.net — source: GitHub - pi-hole/pi-hole: A black hole for Internet advertisements · GitHub — latest

observed: v6.4.2, 2026-04-24.

• Classic network ad/tracker DNS sinkhole.

• Why care: recognizable self-hosting gateway drug.

• Status: self-hosted/local network.

• Caveats: similar DNS-blocking limitations; avoid overstating privacy guarantees.

• Vaultwarden — AGPL-3.0 — source: GitHub - dani-garcia/vaultwarden: Unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs · GitHub — latest observed: 1.36.0, 2026-05-03.

• Lightweight unofficial Bitwarden-compatible server in Rust.

• Why care: excellent self-hosted password manager backend for families/small teams.

• Status: self-hosted.

• Caveats: unofficial; security posture depends heavily on server hardening/backups.

• Bitwarden — mixed AGPL/commercial license per repo — https://bitwarden.com — server source: GitHub - bitwarden/server: Bitwarden infrastructure/backend (API, database, Docker, etc). · GitHub; clients:

GitHub - bitwarden/clients: Bitwarden client apps (web, browser extension, desktop, and cli). · GitHub — recent observed: server v2026.4.1 2026-05-05; browser client v2026.4.0 2026-05-07.

• Password/passkey manager with open clients/server components.

• Why care: mainstream, auditable, self-host option.

• Status: hosted or self-hosted.

• Caveats: license is not uniformly AGPL; enterprise/commercial components exist.

• KeePassXC — GPL family (project page/source) — https://keepassxc.org — source: GitHub - keepassxreboot/keepassxc: KeePassXC is a cross-platform community-driven port of the Windows application “KeePass Password Safe”. · GitHub — latest

observed: 2.7.12, 2026-03-10.

• Offline/local password database manager.

• Why care: no cloud account, excellent local-first password management.

• Status: fully local; sync database yourself if desired.

• Caveats: users must manage database sync/backups and avoid conflicts.

• Cryptomator — GPL-3.0 — https://cryptomator.org — source: GitHub - cryptomator/cryptomator: Cryptomator for Windows, macOS, and Linux: Secure client-side encryption for your cloud storage, ensuring privacy and control over your data. · GitHub — latest observed: 1.19.2, 2026-03-20.

• Client-side encryption vaults for cloud storage.

• Why care: make Dropbox/iCloud/Drive less trusted by encrypting before upload.

• Status: local app; cloud-provider agnostic.- Caveats: mobile apps may have different licensing/pricing; backups still required.

• BorgBackup — BSD-style open-source project — https://www.borgbackup.org — source: GitHub - borgbackup/borg: Deduplicating archiver with compression and authenticated encryption. · GitHub — latest observed:

1.4.4, 2026-03-19.

• Deduplicating, compressed, authenticated-encryption backups.

• Why care: serious backup tooling for self-hosters.

• Status: local/self-managed, often paired with BorgBase or SSH storage.

• Caveats: CLI-first; restore testing is mandatory.

• Syncthing — MPL-2.0 — https://syncthing.net — source: GitHub - syncthing/syncthing: Open Source Continuous File Synchronization · GitHub — latest observed: v2.0.16, 2026-04-07.

• Peer-to-peer continuous file synchronization.

• Why care: own your sync without a central cloud.

• Status: local/P2P, no central account required.

• Caveats: not a backup by itself; conflict handling/user education needed.

• Nextcloud — AGPL-3.0 — https://nextcloud.com — source: GitHub - nextcloud/server: ☁️ Nextcloud server, a safe home for all your data · GitHub — latest observed: v33.0.3, 2026-04-30.

• Self-hosted files, sharing, calendars, contacts, collaboration ecosystem.

• Why care: broad “personal cloud” stack.

• Status: self-hosted or hosted providers.

• Caveats: can become heavy/maintenance-prone; security updates are critical.

• Joplin — AGPL-3.0-or-later with subdirectory exceptions — https://joplinapp.org — source: GitHub - laurent22/joplin: Joplin - the privacy-focused note taking app with sync capabilities for Windows, macOS, Linux, Android and iOS. · GitHub — latest observed:

v3.6.11, 2026-05-08.

• Notes/to-dos with end-to-end encryption and many sync backends.

• Why care: practical private notes without SaaS lock-in.

• Status: local-first clients; sync via file/WebDAV/Nextcloud/Joplin Cloud/etc.

• Caveats: E2EE setup/sync behavior needs clear explanation.

• Radicale — GPL-3.0 — https://radicale.org — source: GitHub - Kozea/Radicale: A simple CalDAV (calendar) and CardDAV (contact) server. · GitHub — latest observed: v3.7.2, 2026-04-29.

• Lightweight CalDAV/CardDAV server for calendars and contacts.

• Why care: simple self-host replacement for Google/iCloud calendar/contact sync.

• Status: self-hosted.

• Caveats: less all-in-one polish than Nextcloud; auth/reverse proxy must be done right.

• Stalwart — license not verified in raw check — https://stalw.art — source: GitHub - stalwartlabs/stalwart: All-in-one Mail & Collaboration server. Secure, scalable and fluent in every protocol (IMAP, JMAP, SMTP, CalDAV, CardDAV, WebDAV). · GitHub — latest observed: v0.16.4,

2026-05-05.

• All-in-one mail and collaboration server: SMTP/IMAP/JMAP/CalDAV/CardDAV/WebDAV.

• Why care: modern self-hosted mail stack worth watching.

• Status: self-hosted.

• Caveats: self-hosting email remains hard because of deliverability/reputation, not just software.

• ntfy — Apache-2.0 — https://ntfy.sh — source: GitHub - binwiederhier/ntfy: Send push notifications to your phone or desktop using PUT/POST · GitHub — latest observed: v2.22.0, 2026-04-21.

• Pub-sub push notifications over HTTP; mobile/desktop integrations.

• Why care: self-hosted alerts without proprietary push-heavy workflows where possible.

• Status: hosted or self-hosted.

• Caveats: notification privacy depends on topic secrecy/configuration and mobile push path.

• Plausible Analytics — AGPL-3.0 — https://plausible.io — source: GitHub - plausible/analytics: Open source, privacy-first web analytics. Lightweight, cookie-free Google Analytics alternative. Self-hosted or cloud. · GitHub — release observed: v3.2.0, 2026-01-26;

repo pushed 2026-05-11.

• Cookie-free privacy-first web analytics.

• Why care: viable Google Analytics replacement for privacy-respecting sites.- Status: hosted or self-hosted.

• Caveats: self-hosting at scale requires ops; hosted plan easiest.

• Umami — MIT — https://umami.is — source: GitHub - umami-software/umami: Umami is a modern, privacy-focused analytics platform. An open-source alternative to Google Analytics, Mixpanel and Amplitude. · GitHub — latest observed: v3.1.0, 2026-04-16.

• Lightweight privacy-focused analytics.

• Why care: simple self-host analytics for personal sites/apps.

• Status: hosted or self-hosted.

• Caveats: ensure configuration avoids collecting unnecessary identifiers.

• Matomo — GPL-3.0 — https://matomo.org — source: GitHub - matomo-org/matomo: Empowering People Ethically 🚀 — Matomo is hiring! Join us → https://matomo.org/jobs Matomo is the leading open-source alternative to Google Analytics, giving you complete control and built-in privacy. Easily collect, visualise, and analyse data from websites & apps. Star us on GitHub ⭐️ – Pull Requests welcome! · GitHub — latest observed: 5.10.0, 2026-05-03.

• Full-featured open-source analytics suite.

• Why care: mature GA alternative with data ownership.

• Status: hosted or self-hosted.

• Caveats: heavier than Plausible/Umami; privacy depends on settings.

• Ollama — MIT — https://ollama.com — source: GitHub - ollama/ollama: Get up and running with Kimi-K2.5, GLM-5, MiniMax, DeepSeek, gpt-oss, Qwen, Gemma and other models. · GitHub — latest observed: v0.23.2, 2026-05-07.

• Local model runner for LLMs.

• Why care: private/local AI experimentation without sending prompts to cloud APIs.

• Status: local; can expose LAN APIs if configured.

• Caveats: model weights/licenses vary; local does not equal secure if exposed.

• llama.cpp — MIT — source: GitHub - ggml-org/llama.cpp: LLM inference in C/C++ · GitHub — latest observed release tag b9106, 2026-05-11.

• C/C++ LLM inference engine.

• Why care: foundation for private, portable local AI.

• Status: local/library/CLI/server.

• Caveats: more technical; same model-license caveat.

• Open WebUI — license not detected by API page — https://openwebui.com — source: GitHub - open-webui/open-webui: User-friendly AI Interface (Supports Ollama, OpenAI API, ...) · GitHub — latest

observed: v0.9.5, 2026-05-10.

• Browser UI for local/hosted LLM backends such as Ollama.

• Why care: self-hosted “ChatGPT-like” UX for local models.

• Status: self-hosted/local network.

• Caveats: secure access/auth if exposed; verify license for FOSS framing.

• Wazuh — license not detected by API page — https://wazuh.com — source: GitHub - wazuh/wazuh: Wazuh - The Open Source Security Platform. Unified XDR and SIEM protection for endpoints and cloud workloads. · GitHub — latest observed: v4.14.5,

2026-04-23.

• Open-source security monitoring/XDR/SIEM for endpoints and cloud workloads.

• Why care: blue-team visibility for homelabs/small orgs.

• Status: self-hosted server + agents.

• Caveats: heavyweight; alert fatigue/tuning required.

• CrowdSec — MIT — https://crowdsec.net — source: GitHub - crowdsecurity/crowdsec: CrowdSec - the open-source and participative security solution offering crowdsourced protection against malicious IPs and access to the most advanced real-world CTI. · GitHub — latest observed: v1.7.8, 2026-05-11.

• Collaborative intrusion prevention using local behavior detection plus community blocklists.

• Why care: accessible defensive automation for exposed services.

• Status: self-hosted agent; optional central/community intelligence.

• Caveats: community CTI model requires explaining data sharing/trust.

• OpenBao — MPL-2.0 — https://openbao.org — source: GitHub - openbao/openbao: OpenBao is a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. · GitHub — latest observed: v2.5.3, 2026-04-20.

• Open-source secrets/certificates/keys management fork/ecosystem alternative to Vault.

• Why care: sovereign secrets management for teams/homelabs.- Status: self-hosted.

• Caveats: operationally sensitive; bad setup can centralize risk.

• Infisical — license not detected by API page — https://infisical.com — source: GitHub - Infisical/infisical: Infisical is the open-source platform for secrets, certificates, and privileged access management. · GitHub — latest observed: v0.159.28,

2026-05-09.

• Secrets, certificates, and privileged access management platform.

• Why care: developer-friendly open-source secret management.

• Status: self-hosted or cloud.

• Caveats: check edition/licensing boundaries for FOSS segment.

• Aegis Authenticator — GPL-3.0 — https://getaegis.app — source: GitHub - beemdevelopment/Aegis: A free, secure and open source app for Android to manage your 2-step verification tokens. · GitHub — latest observed: v3.4.2,

2026-02-24.

• Android 2FA/TOTP manager with encrypted backups.

• Why care: privacy-respecting alternative to Google/Authy-style authenticators.

• Status: local Android app.

• Caveats: Android-only; users must backup vault securely.

• Neo Store — GPL-3.0 — source: GitHub - NeoApplications/Neo-Store: An F-Droid client with modern UI and an arsenal of extra features. · GitHub — latest observed: 1.2.6, 2026-04-25.

• Modern F-Droid client.

• Why care: better UX for finding/updating FOSS Android apps.

• Status: local Android app using F-Droid repos.

• Caveats: repository trust and signing still matter.

• Obtainium — GPL-3.0 — source: GitHub - ImranR98/Obtainium: Get Android app updates straight from the source. · GitHub — latest observed: v1.4.3, 2026-04-16.

• Android app updater that pulls releases directly from source pages such as GitHub/GitLab/F-Droid.

• Why care: useful for privacy Android users outside Play Store.

• Status: local Android app.

• Caveats: users must understand source trust and update provenance.

• GrapheneOS — open-source Android hardening project — https://grapheneos.org — source manifest:

GitHub - GrapheneOS/platform_manifest: Repo manifest for the GrapheneOS mobile privacy and security hardening project. · GitHub — repo pushed 2026-05-09.

• Security/privacy hardened mobile OS for supported Pixel devices.

• Why care: gold-standard consumer mobile hardening story.

• Status: full OS, local device sovereignty.

• Caveats: device support is narrow; OS install changes threat/support model.