[Gormo]

Just downloaded source and built this to play around with it. I was a bit surprised that the first thing it did when I ran it was to start downloading binaries from the internet. It went off to fetch FFMpeg from some remote server, but I already have FFMpeg installed. Then it tried and failed to install its own Python interpreter, which is another thing that's already present on the system.

How come this is trying to install its own vendored dependencies, including executable binaries, instead of checking for what's already installed? That approach can lead to both security and performance issues.

Edit: the Python download isn't failing, but rather the application itself is looking for the executable interpreter in `lib` rather than `bin` once the download completes. I built the release tarball in the git repo, and I'm pretty amazed that such a basic error could make it into release code.

Further edit: I tried using the build script in the tarball rather than just doing a `cargo build -r`, and it started trying to install Docker containers! Docker to build a desktop application! What is going on here?

[raincole]

> instead of checking for what's already installed

Plenty of software come with their own Python runtime. Even Blender uses its own Python runtime. I can name so many apps with embedded Python runtime: Blender, Houdini, Bitwig, Substance Painter, Krita, etc. Checking for what's already installed isn't the norm. In Krita's case, it uses installed Python to build it... and in the building process it builds another Python runtime for its own!

This app should have probably bundled the runtime instead of downloading a new one though.

> install its own vendored dependencies

> lead to both security and performance issues

npm install and pip -r theoretically have the same kind of security issue. How many projects on github run this kind of command during build process? My guess is in the order of millions.

[throw_await]

All reasonable Linux distro will patch these stupid things to usw the system interpreter.

[raincole]

It's not how it works. You can just install whichever linux distro of your favorite, download blender or krita, and see it uses its own python by default yourself.

And thankfully it's not how it works. If it were it'd break plugin ecosystems of many apps completely.

[ajsnigrutin]

gentoo (a lot of lines removed):

  $ strace blender-4.4 
  ..
  openat(AT_FDCWD, "/usr/lib64/libpython3.13.so.1.0", O_RDONLY|O_CLOEXEC) = 3
  ...
  openat(AT_FDCWD, "/usr/lib/python3.13", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 12
  ...

No issues with plugins

[Gormo]

And even if the build scripts are downloading deps, having the application itself install dependencies to the user's home directory at runtime is unheard of.

[mft_]

It's probably pertinent to mention that the Python installation ecosystem is a hot mess, with multiple ways of installing Python (e.g. standard Python installer, multiple different packages managers on different OSes, Conda, and myriad package managers which can also install Python. And of course, these can all be in different locations, and may have different approaches to installing libraries.

Which is to say, I don't blame the author for wanting a single installation that his app can manage and rely on, even though I wish it was different.

[cynicalkane]

The app is vibecoded. The author isn't making decisions about these tradeoffs and possibly wasn't aware of the implications of these decisions at all. The robot they used tried to fulfill its given prompts at the expense of everything else, which is why it's looking in bad directories and trying to install Docker environments in the build script.

I suspect that some of the author's comments in this thread are vibe-written, also. They are LLM-flavored and contrast strongly vs. their regular commenting.

[selcuka]

> The app is vibecoded. The author isn't making decisions about these tradeoffs and possibly wasn't aware of the implications of these decisions at all. The

I agree, but to be fair this is how I would code it, too. I would have probably bundled the Python interpreter and only downloaded the FFmpeg binary (because of its license), but that's a relatively minor difference.

[cozzyd]

Do.. people not already have ffmpeg on their machines? In that case it should use the system package manager.

[selcuka]

Not all people do. Also it may be a different version that doesn't support the command line arguments that you use, or it may not have been compiled with the flags that you want. It's just less headache to vendor it.

[LtWorf]

It's not open source if it has to download binaries from the internet to run.

[avadodin]

I agree with the sentiment but that definition would make open source Windows programs not open source either.

[LtWorf]

Why? Apparently even the build scripts download stuff here…

[ramesh31]

>How come this is trying to install its own vendored dependencies, including executable binaries, instead of checking for what's already installed? That approach can lead to both security and performance issues.

Because the person who vibecoded this had no idea they should have been doing that.

[solvik]

It’s a desktop app for mostly non-technical users, so bundling the runtime is a deliberate tradeoff to reduce setup friction and machine-specific breakage.

That said, an optional “use system environment if available” mode could make sense for advanced users. A PR for that would be welcome, as long as it also handles the real complexity involved: platform differences, Python package compatibility, GPU backends, and missing system/compiler flags.

[Gormo]

> It’s a desktop app for mostly non-technical users, so bundling the runtime is a deliberate tradeoff to reduce setup friction and machine-specific breakage.

That's not a very reasonable justification, considering that dynamic linking of dependencies has been industry standard in software designed for "non-technical users" for the past thirty years or so, and is basically a solved problem.

I can understand having a downloadable archive that already includes things like FFMpeg and Python for Windows users (with everything already included in appropriate locations, so no runtime downloads necessary).

But this is an especially bad practice for Linux, since most of the vendored dependencies are already installed by default on pretty much every Linux distro, and package managers are designed to sort out and install appropriate dependencies on behalf users, so that the "non-technical" among them aren't exposed to the massive risks of having application software retrieve and execute arbitrary binaries from the internet.

The only thing it somewhat makes sense for would be the AI models it's retrieving, but even that ought to be implemented via a separate download/update script and not just baked into the main application runtime without even prompting the user that it's about to download a huge dataset.

> A PR for that would be welcome, as long as it also handles the real complexity involved: platform differences, Python package compatibility, GPU backends, and missing system/compiler flags.

These are the sort of things that config scripts at build time are designed to handle. It's already using Cargo here, which should be able to handle all of this just fine, so it's very perplexing to see that it isn't being used for this purpose, and what should be build-time dependency resolution is instead being palmed off to the application itself at runtime. That is an extremely strange -- and potentially dangerous -- approach.

[marssaxman]

> dynamic linking of dependencies has been industry standard

So it has, and I've been hating the excess complexity it brings for most of that thirty years! I'm glad to see the recent swing back toward self-contained executables. Where this author went wrong was not in vendoring the app's exact dependencies, which is a good idea, but in trying to download them and install them separately on first launch, rather than including them in the app bundle, where they can remain isolated from the rest of the system.

[Gormo]

> So it has, and I've been hating the excess complexity it brings for most of that thirty years!

It reduces complexity compared to the administrative and security mess of every application having its own version of every library, let alone its own version of external tools and interpreters.

> I'm glad to see the recent swing back toward self-contained executables.

I wish there was one. Static linking is a great solution for this. Instead, we're seeing dynamically linked libraries being bundled alongside of executables in a way that increases complexity vastly.

> Where this author went wrong was not in vendoring the app's exact dependencies, which is a good idea, but in trying to download them and install them separately on first launch, rather than including them in the app bundle, where they can remain isolated from the rest of the system.

Agreed. Dependency resolution at build time is normal. Dependency resolution in user mode at runtime is crazy.

[SchemaLoad]

I'd agree if they actually were bundled rather than trying to hotlink files off the internet on first run which is just as fragile if not more so than using the system ones.

[charcircuit]

Such a setting will cause more headaches for the developer since it explodes their support matrix. Supporting a single version of dependencies and shipping those is a much more scalable solution for delivering high quality software.

[Gormo]

Quite the opposite, in fact: if the app gains popularity that people start looking to build and package it for their respective OSes or distribution channels, the author will be inundated with support requests on account of doing dependency management in such an unusual and risky way.

"Normal" users wouldn't even encounter anything here, as they'd just install prebuilt binary packages with all of the dependencies already sorted out. As things stand, the application trying to install its own dependencies at runtime is creating a whole new class of user-facing issues to generate escalations (such as the app's failure to locate the Python interpreter it itself had just installed).

[charcircuit]

>in such an unusual and risky way

There is more risk in the shenanigans people who package software for distros do. Kdenlive suffered from big damage to their reputation due to all of the crashes packagers added by using incorrect versions of dependencies.

>"Normal" users wouldn't even encounter anything here, as they'd just install prebuilt binary packages with all of the dependencies already sorted out.

That's the benefit of just shipping what the developer released instead of swapping out dependencies under developers' feet.

[rzzzzru]

hey both!

thanks for your feedback and reports, I'd be happy if they are added as issues on github.

as said in the separate comment, I really wanted an app to be as "grandma-proof" as possible, therefore I really wanted to have one binary that does the magic for you. it's a karaoke app, not a tool that is aimed at engineers.

we can indeed look at the local packages before downloading an executable, it's just not done yet but might be added in the future.

I've built this project out of passion and it's 100% open-source and free, so please keep this in mind when criticizing.

[Gormo]

> I really wanted an app to be as "grandma-proof" as possible, therefore I really wanted to have one binary that does the magic for you.

Probably the best way to do that is to design, build, and distribute it like any other normal desktop application, and not come up with idiosyncratic and experimental methods for invoking bog-standard libraries and language interpreters.

On Windows, just include the necessary binaries as part of the application distribution itself, in hardcoded paths, without any runtime download of executables from unclear sources.

On Linux, use system defaults resolved at build time through a normal config script -- any "grandma users" on Linux will end up installing from distro repos, AppImage, Flatpak, etc, all of which have their own methods for handling dependencies, and is definitely not something the application should be trying to do by itself post-install.

[rzzzzru]

noted, mate, and thanks for the feedback, really!

I'm not experienced in building desktop apps per-se, so I went with the thing that looked reasonable to me. all your comments are valid tho. I'll take a look how can I resolve this in the future.

cheers!

[mentalgear]

While I can understand that, why not replace python deps with wasm versions ?

[rzzzzru]

Simply because I was not aware of this option, that's it. Happy to consider it and also happy to receive contributions.

[OrangeMusic]

Dog ate your shift key?

[user34283]

Personal attacks directed at people who build OSS are not cool, even if you take issue with their supposed use of AI or vendoring of dependencies.

[bheadmaster]

Vibe coders are NOT programmers, they are leeches, feeding from the blood of the open source.

[user34283]

I doubt that you know the OP's background and knowledge.

If someone on here would direct at me the insinuation that a flaw in my software was the result of me having "no idea" about what I am doing, we would not be having a civil discussion.

In my view personal attacks should be flagged, but I don't have that ability because my account does not have enough Karma.

[bheadmaster]

Look at the commit history. Vibe coded in 10 days, with obvious AI generated commit messages. Look at the diffs.

If you can't tell AI slop from handwritten code, that's your problem. I won't censor myself because of your opinions.

[user34283]

There is no need for me to look at "obvious AI generated commit messages" or check whether the code is handwritten.

Personal attacks are still against the rules of this site, and that's why you, or in this case the commenter before you, should have censored themselves. This is not a matter of opinions.

[stavros]

Yeah yeah. This app is open source too.

[bheadmaster]

That's even worse, they're polluting the open source space with AI slop. Anyone learning from open source will not learn anything useful from it.

[stavros]

Man, nobody is learning anything any more, those days are gone. Programming with actual code is a niche hobby or a hyperspecialized profession now, like demoscene coders.

Besides, even before LLMs, it's not like anyone ever said "you shouldn't have open sourced this, we can't learn from your code". We just didn't bother reading that code.

Telling off people who contribute is not OK.

[HWR_14]

> How come this is trying to install its own vendored dependencies

"Why does this new software do X?" is probably answered by "the vibe worked on my system"

[selcuka]

Not trying to sound like a luddite (I don't "vibe code" but I use LLM assistance), but after learning that Claude Code is a React app, I'm not surprised by anything anymore.

[bityard]

This is unfortunately becoming more common.

Just yesterday, I went to try out some cool new AI thing that was here on the front page of HN. It's written in Python. Great, I thought, that means I can put it into a virtualenv and just rm the whole tree when I'm done and my system will be exactly in the same state it was previously.

But sadly... no... the first time I ran it, this Python program started downloading and installing Node/NPM, and all kinds of other stuff to my machine WITHOUT even asking for permission. Sorry app developers, but my machine and my home directory are my workplace. They are curated property, you are NOT allowed to just install whatever you wish.

I expect this kind of behavior from programs whose only supported installation method is a curlpipe. (And I do avoid those.) I do not expect it from programs that claim to be installable by pip, or ship their own binaries. These NEED to be called out as vulnerable to supply-chain attacks at worst and extremely disrepectful to users at best.

[LtWorf]

I would, for safety, run the whole thing under a different user.

[ljm]

This guy just discovered static linking.

May he enjoy an eternal debate about static and dynamic linking, strong types and duck types, tabs and spaces, vim and emacs, less and more, and Kickers and Rockport.

[Crestwave]

Static linking packs the dependencies into the executable. This is basically dynamic vendoring.

[mghackerlady]

there's a difference between static linking and downloading your dependencies over the net

[ljm]

What dependencies, these days, are not downloaded over the net?

If someone put this app on CDs and gave them out at a supermarket, well, it worked for AOL 30 years back but not now.

[gbin]

You don't want to add untrusted binary download sources in your Linux system. Your distrib is already doing that. This is not strictly about "downloads from the internet" of course

[ravenstine]

> How come this is trying to install its own vendored dependencies, including executable binaries, instead of checking for what's already installed? That approach can lead to both security and performance issues.

I've been sympathetic to your viewpoint, and I can see why this kind of thing is becoming more common.

The idea that users can reliably supply their own vendor libs/execs for applications is a bit of a fantasy. Devs working on fixing issues caused by the user having a strange issue due to the version of Python or whatever that they have installed is largely a waste of time when the application can "simply" ship with the exact dependencies it expects. This is especially true when it comes to open source work. Dealing with weird edge cases because the user has a version of FFMPEG installed that, for whatever reason, is missing h264, is work that nobody asked for. Given that the audience of this kind of app is a general one (not specific at all to devs) then it doesn't make sense to require other system packages to be present; if things like Python and FFMPEG are not required and will be downloaded anyway as part of the app install process, then there's no point in not always doing that. If you think about it, it's hardly different from any other sort of software dependency. The dependencies are just relatively bigger.

Personally, I have no desire for my applications to use other executables on my system unless I request that they do so explicitly. I'm sympathetic to the idea from a mere efficiency perspective, especially when it comes to developer tooling. But a karaoke app? No offense, but why care? A Python interpreter will be anywhere between 50 and 200 megabytes. FFMPEG is even smaller, especially if you don't enable every single feature and codec. Compared to how ridiculously bloated your average basic mobile app is (without anything like a built in JIT), bundling a desktop application with something like Python provides a lot of power relative to the number of bytes added.

[Gormo]

> The idea that users can reliably supply their own vendor libs/execs for applications is a bit of a fantasy.

That's why package managers and OS repos exist. Users shouldn't have to even be aware of this sort of stuff. In this case, though, when the application starts trying to download and install its own dependencies at runtime, instead of everything already being sorted out at build time, the user is made aware of dependency resolution, and now has to deal with the issues involved.

> This is especially true when it comes to open source work. Dealing with weird edge cases because the user has a version of FFMPEG installed that, for whatever reason, is missing h264, is work that nobody asked for.

And that's what config tests at build time solve for, and have solved for decades.

[rzzzzru]

I'm just using cross https://github.com/cross-rs/cross to build cross-arch. you can still use `cargo build`, it will just work.

[Gormo]

It did, but then the application didn't work because it couldn't find the Python interpreter that it itself downloaded into its own config directory.

[canibal]

I mean... Sounds pretty clearly vibed from this description. Funnily enough this is touted as a feature, not a bug:

> Single binary > ffmpeg, Python, PyTorch, and the ML models are all bootstrapped on first launch. Nothing to install.

[jsjshsshhs]

welcome to the millenial way of doing things

always assumes internet is connected

always assumes everything is trusted