Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.
Sign upGitHub is where the world builds software
Millions of developers and companies build, ship, and maintain their software on GitHub — the largest and most advanced development platform in the world.
Please reduce use of sudo in REAMDE #11875
Comments
No it does not. No
Don't see much difference. You are still using
You can't know the intention beforehand. Those who aware can handle this themselves. We provide generic instructions for average user that will just work. |
|
Yeah, I just noticed it's used only for the updating. But still… The difference is simple: at the moment, you are running complex toosl like Sure, it works for the average user, but you are also suggesting highly insecure practices and fueling average user naïvite about it. And of course, you can't know the intentions beforehand, but I'd be surprised if the majority of the people doing manual installations do so for multiple users. If they just do it for themselves, then no |
|
Users are expected to verify downloaded files with GPG keys, so MITM attacks won't work. Indeed README.md should mention GPG keys... |
|
Yes, they should do so in addition. However, I suspect that the kind of user for which this documentation is written (i.e. the one that's best told to use Whatever. |
|
IMO downloading files using sudo is safer - it prevents unauthorized modifications to downloaded files. youtube-dl checks GPG signatures during updates, too. (see youtube_dl/update.py), so it's not a big problem. |
How so? |
|
If youtube-dl is owned by the current user, all user processes can modify it at any time. You may argue that downloading with local user and chown to root solves the problem, but there's If you have a Mac, you may want to compare Homebrew and common Linux package managers like apt-get/yum/pacman. The former is more fragile as installed files may change without a notice. |
|
Your view of security is, uh, just too different for me to be able to participate in this any longer. Good luck. |
The README.md file uses a lot of
sudo, e.g. to invokecurlorwget, but also to actually invokeyoutube-dl. But I am sure you'll agree that use ofsudoshould be kept to an absolute minimum.So I suggest to use
curl/wgetas user and then copy the file to/usr/local/binusinginstall(which also takes care ofchmod), if that's even necessary. Often, the use will be single-user, and then it'd be better to use something like~/bin.