[otto_ortega]

If you are planning to try Fedora, here is my recommendation to get an astonishingly great set up in no time:

- Do a fresh install

- Use Fedy [0] install with a single click pretty much any development IDE you may need plus other must-have tools (Skype, Dropbox, VirtualBox, TeamViewer, etc...)

- Install the "dash to panel" Gnome extension [1]

- Use Fedy to install Numix or Arch as themes and "pimp" your GUI ;)

- Enjoy!!

Here is how my desktop looks with the described set up: https://snag.gy/F6SM4L.jpg

[0] https://www.folkswithhats.org/

[1] https://github.com/jderose9/dash-to-panel

[bckygldstn]

Fedy looks interesting, but I couldn't figure out how it works.

Is it like another package manager, or can I use dnf to manage/update the packages it installs?

[lima]

Worse, it's just a collection of shell scripts:

https://github.com/folkswithhats/fedy/blob/master/plugins/an...

It does no signature validation whatsoever or dependency tracking.

Don't use it if you care about security or a clean system.

[otto_ortega]

How is a collection of scripts for which you can easily read and edit the source code "worse" than installing a rpm package or a compiled program?

The thing about signature validation can be easily resolved with a simple text replace. About dependency tracking: as I said, it is not a package manager and it uses dnf under the hood, which already does that.

Unless you only install open source software AFTER doing a full source code audit. You are blatantly overreacting just to look as "security conscious".

For disclosure: I don't have anything to do with the project other than the fact that I have been using it for years without any issue.

[subway]

I know plenty of folks who've ridden motorcycles helmetless for years without any issue.

It's a collection of script written in a non-idempotent manner, and run in an uncontrolled, undefined environment. The benefit of binary packages is that you have a reasonable idea that the package will consistently build in a well defined environment (the base build chroot for the OS + the defined dependencies in the package). The result is a consistent reproducible binary that means when you run version x.y.z it's the same as version x.y.z that I'm running, and the same as version x.y.z that the package maintainer is running.

When software is "packaged" via install scripts that fetch and build from the internet on the fly with loosely defined versions, you stand a lot of risk of breaking your environment. If you only spend time in toy environments playing games and looking at cat pictures, that's fine.

If you rely on the tools you work with to be stable, perform in a consistent manner, and not accidentally leak information about your environment (you'd be shocked by how many test suites will post your local environment variables out to arbitrary metrics collection points), then pre-build binary packages are a safe and reliable way to operate.

You can have fun letting the wind blow through your hair; I'll keep my helmet on, thanks.

[subway]

https://github.com/folkswithhats/fedy/blob/master/plugins/an...

I made it 10 lines into the very first plugin before hitting a point where the installer script is downloading a file over an insecure connection, and treating it as a list of trusted URLs.

[otto_ortega]

And look where those nefarious links are pointing!! developer.android.com and dl.google.com...

As I said, if you feel safer because you run all those commands manually, it is ok...

[otto_ortega]

You are changing your argument... You were originally talking about security and whatever you define as a "clean system" not about stability and robustness and on that regard my point remains valid:

Binary packages are not intrinsically more secure that plain text scripts that you can easily audit.

If you feel safer because you are executing by hand a bunch of commands that can be automated with a script that's ok.

In my case I rather spend that time doing something more productive.

[subway]

Build integrity is inherently a security issue.

[lima]

You're replying to the wrong person.

[subway]

After initially recoiling in horror at running a `curl|bash` installer, I opened the installer in a browser planning on reading the install script. "Helpfully" the script is served up as `binary/octet-stream`, so instead of looking at it in the browser, I got to open it in an editor.

From there, it looks like the script does little more than add the `rpmfusion-free-release`, `rpmfusion-nonfree-release` and `folkswithhats-release` repositories. Of course since we started the install process through a shady insecure means, we should add the repos the same way. So every repo gets added via `dnf -y --nogpgcheck install https://url-to-repo-release-package`.

I went to browse the `folkswithhats` repo, but found it's hosted on AWS S3 and doesn't provide a directory index.

[otto_ortega]

You are overly paranoid... The GitHub repo is literally the first thing that shows up when searching for "Fedy" on Google:

https://github.com/folkswithhats/fedy

If the "--nogpgcheck" bothers you, a simple text replace over the source code solves it.

Same with the "curl|bash" thing, you are not obligated to run it that way, you can just clone the repo and run it however you want, it is open source!

It is funny the way people overreact with things like this with projects that are open source but are ok installed closed source software and feel safe because they got them from the official repos...

[baggins367]

Your suggesting a solution for a very common use case many Fedora users have (i.e. installing skype, viber etc) in a New Release thread on a highly visible forum. This means many people could find and run this code, so I think its warranted to analyze its security instead of dismissing it. I agree it has some bad security practices, which are hard to trust in this day and age.

I don't mean to dump on this project or the people behind it, fair dues to them for putting it together to make peoples lives easier. But widely used software must be built and distributed securely.

Since it is GPL3, I wonder why the authors don't build and distribute it from COPR directly from github? It would solve the same problems, and make it easier to trust.

[otto_ortega]

It is not another package manager, it is an utility to automate the process of installing/uninstalling software that normally won't be available under the software manager application that comes with Fedora.

It will add the repos, dependencies and execute all other steps that you will have to do manually otherwise, to have any of the programs supported installed on your PC.

After that you can manage any of them with dnf.

It is a great utility, extremely useful.

Here is a bunch of screenshots of all the things you can install with one click using Fedy:

https://www.dropbox.com/sh/oakue3yuc287ioq/AAARUn9Usi3IgaA27...