Ask Your Question
6

Is it safe to use Fedy, postinstalerf or third party helpers?

asked 2015-03-17 12:31:35 -0600

Agnel gravatar image

updated 2016-10-30 08:14:18 -0600

hhlp gravatar image

Recently I came across Fedy at http://satya164.github.io/fedy/ and I see a few blog posts about this software and it seems to be quite popular. How safe is it to use? Can it be trusted and if so why isn't it available in the usual repos?

edit retag flag offensive close merge delete

Comments

1

Fedy (Fedora Utils) is a great tool; as other great third party projects also includes the source code. Maybe need make rpm for some packages but is a learn process.

davidva gravatar imagedavidva ( 2015-03-18 13:00:22 -0600 )edit

7 Answers

Sort by ยป oldest newest most voted
8

answered 2015-03-18 06:29:22 -0600

FranciscoD_ gravatar image

updated 2015-03-18 06:34:12 -0600

I have mixed feelings towards using third party helpers. I don't recommend using them unless you're absolutely sure you know what they're doing. I've been helping troubleshoot Fedora systems for a while now and quite a few times, people break their systems and when you ask them what they did, they reply "I used $third_party_helper" which, quite frankly doesn't tell us anything.

If you know what the tool is doing, use it. If you don't, first find out and then use it. Generally, when you look into what it's doing, you realise how trivial it all is and you can just do it yourself. Use them because they are convenient, don't use them because you don't know what to do and they'll to everything for you.

Most third party helpers provide a one click solution to common tasks. I don't know what fedy does, but I'm quite certain it's just a frontend - everything it does can be done yourself. One perk of not using a third party helper, apart from knowing exactly what your system configuration is, is that you learn quite a bit. For example, if you take the trouble to set up RPMFusion yourself and install the media codecs, you learn why they aren't in Fedora in the first place - you learn what RPMFusion is - who maintains it - even something about how it works. If you use a third party tool, you skip all this important information - you just click and it does everything for you - you don't learn what codecs are exactly needed - it'll just install them all - you don't learn anything about RPMFusion - about packages forbidden in Fedora and so on. How many people know why there's an RPMFusion free repo and a different RPMFusion non-free repo? Did you know that there is software that even RPMFusion won't accept?

Basically, it pays to know exactly what your system is - what packages - what tweaks - everything. It's why we use open source software - so that we can look at the code and be completely sure of exactly everything that's happening. Sure, you generally don't look at the kernel code, but you can if you wanted to.

edit flag offensive delete link more

Comments

5

I've looked at the source for a couple of these third party installers when helping to troubleshoot problems where they are a factor. In some cases, they're quite sane, safe, and straightforward; in other cases, they do things that I find awkward or even detrimental. It's not limited to "This helper tool is good, this one is bad" - it's "this helper tool does this specific function in a good way, but this other specific function in a bad way".

From a contributor standpoint, I think the effort put into making a given piece of software work in a given third part installer could be better spent. One case I saw stands out; the tool was going through an elaborate process of extracting files from an ubuntu package and installing them over the filesystem, and extracting various tarballs for dependencies over the filesystem, then doing a bunch ...(more)

randomuser gravatar imagerandomuser ( 2015-03-18 11:34:24 -0600 )edit
3

answered 2015-11-23 14:25:27 -0600

Striker gravatar image

updated 2015-11-24 03:28:09 -0600

FranciscoD_ gravatar image

I don't think it is safe at all.

fedy-core-4.0.9-1.fc22/usr/share/fedy $ cat config.json 
{
        "malicious": [
                {
                        "variations": [
                                "^rm \\-rf \\.$", "^rm \\-rf \\/$", "^rm \\-rf \\*$",
                                "^rm \\-r \\.\\[\\^\\.\\]\\*", "^rm.*\\-\\-no\\-preserve\\-root",
                                "^echo cm0gLXJmIH4vKg== \\| base64 \\-d", "python \\-c.*sn!\\.sg!\\+"
                        ],
                        "description": "delete all files"
                },

                {
                        "variations": [ "^mv .* \/dev\/null", "^rm \\-?\\S+ \\/\\w\\/?\\w?" ],
                        "description": "delete important files"
                },

                {
                        "variations": [ ".* > \\/dev\\/sda", "dd if=.* of=\\/dev\\/sda", "mkfs\\..* \\/dev\\/sda" ],
                        "description": "overwrite or wipe hard disk"
                },

                {
                        "variations": [
                                "echo 1 > \\/proc\\/sys\\/kernel\\/panic", "cat \\/dev\\/zero > \\/dev\\/mem",
                                "dd if=\\/dev\\/random of=\\/dev\\/port", "cat \\/dev\\/port"
                        ],
                        "description": "cause kernel panic"
                },

                {
                        "variations": [ ":\\(\\)\\{:\\|:&\\};:" ],
                        "description": "freeze the system"
                }
        ]
}


fedy-core-4.0.9-1.fc22/usr $ grep -r -i config.json .
./share/fedy/app.js:        let system = this._loadJSON(GLib.get_current_dir() + "/config.json");
./share/fedy/app.js:        let user = this._loadJSON(GLib.get_user_data_dir() + "/fedy/config.json");
edit flag offensive delete link more

Comments

Seriously?!?!

FranciscoD_ gravatar imageFranciscoD_ ( 2015-11-24 03:26:27 -0600 )edit
1

yup, https://github.com/folkswithhats/fedy... . Good catch, @Striker. Even if this doesn't get sourced and ran maliciously, I shudder to think of the thought process that led to it's creation...

randomuser gravatar imagerandomuser ( 2015-11-24 08:46:54 -0600 )edit

Yeah well I looked it up, Fedy downloads some software from third party repos. So for instance Java could be downloaded directly from Oracle, that even offers a packaged rpm. But other software not, and so Fedy looks up so that those malicious commands are no in there. Look Fedy is open source and safe, but it's third party links may not be safe, legal.... That is why I won't recomand Fedy, but the developer did a good job!

Daniel01 gravatar imageDaniel01 ( 2015-11-30 05:01:38 -0600 )edit
1

@Daniel01 - redistributing software and waiting until runtime to check if it is rampantly destructive is not a good approach. A trustworthy source should vet the things before exposing it to the end user.

randomuser gravatar imagerandomuser ( 2015-12-28 10:58:31 -0600 )edit
3

It appears that this array is used to scan plugins for malicious commands and prevent those commands from being run. Reference

The plugins don't come from third-party repos; they're stored in the Fedy repo on GitHub. You can see the commands that will actually be run as part of the installation process in the plugins dir. Of course, the software itself does come from third-party repos, and whether to trust those is up to the user.

rdebeasi gravatar imagerdebeasi ( 2015-12-31 10:51:00 -0600 )edit
3

answered 2015-10-14 11:55:39 -0600

Southern_Gentleman gravatar image

no fedy is not safe to use. If you cannot look at the source code and understand what it is doing do not use it or recommend it. We see people all the time using fedy comeing into the #fedora channel and there is no way to troubleshoot what is going on with fedy installed. fedy installs rpmfusion which is safe but the other stuf it does can and will give you issues in the long run.

edit flag offensive delete link more
0

answered 2015-03-18 01:40:21 -0600

I don't know why it's not in the usual repos - maybe no one feels like packaging it.

It is safe to use; all it's really doing is automating a bunch of pretty common tasks. In fact, if you look at the code for how it does any specific thing you'll find it's quite trivial (I haven't come across any real complexity). It's great having a tool to automate stuff for you though so I would recommend it.

Ironically I don't have it installed on my FC21 setup right now - I used to use it when it was "Fedora-utils" though. The point is, I count vouch for it running on FC21

edit flag offensive delete link more
0

answered 2016-02-01 23:42:01 -0600

Software that makes your computer easier to use is bad. Software like Fedy that makes Fedora more accessible to regular users is the worst kind of bad. We don't want people like that to be able to use Fedora. It's better to push them over to Ubuntu if they want easy installs and don't want to take the time to search for instructions, re-read them several times to understand them, manually run the install commands, correct errors, rerun the install commands, ask for help on forums when it doesn't work, wait for responses, repeat from the beginning, file bug reports, and then give up when no one can answer their question. People who actually want skip over this glorious configuration/installation step and go right to the task they're trying to accomplish are just wrong. And more so for the terrible people would would stoop so low as to write helpful software like Fedy.

edit flag offensive delete link more

Comments

Not quite. It's a learning process. Imagine you gained some experience with handling a GNU Linux OS and you switch to Fedora. Why not using a software "that makes your computer easier to use" in the beginning until you master it. (And then do rocket-science stuff like this http://accumulatorx.com/wp/index.php/... ).

-1 for not answering the question. Answer is an opinion, and does not useful facts.

florian gravatar imageflorian ( 2016-02-02 11:14:31 -0600 )edit

This biting sarcasm is clearly directed at the Fedora community. You're tacitly lauding the use case of fedy and the plight of it's target audience without addressing the actual technical efficacy of Fedy. Please take a moment to read https://getfedora.org/code-of-conduct .

randomuser gravatar imagerandomuser ( 2016-02-02 21:18:59 -0600 )edit

Yes, it's sarcasm. I'm responding to people who assumed it was bad simply because it allowed the user to skip configuration tasks and go right to what he wanted to do, or because it wasn't part of the core distribution, or because it was assumed to be insecure without any valid evidence. We should be welcoming contributions like Fedy and not rejecting them out of prejudice.

I'm pointing out a very important issue that is a serious problem for new users and the attitude of experienced users that causes the problem. Maybe I could have done it in a less offensive way. My apologies.

Bill Chatfield gravatar imageBill Chatfield ( 2016-02-07 12:44:12 -0600 )edit
2

I read the code of conduct. It is very good. I agree with it. I could have been more tactful on this post. My apologizes to anyone I offended. I meant no offense. My goal is just to improve Fedora, especially for beginners.

Bill Chatfield gravatar imageBill Chatfield ( 2016-02-07 13:04:54 -0600 )edit
0

answered 2016-10-31 05:19:27 -0600

fedoramonsecond gravatar image

Fedy is not updated anymore apparently and doesn't state which version of Fedora it supports (which is a very unprofessional way of conduct). Please steer clear. Please also consider using Chapeau or Korora spins of Fedora.

edit flag offensive delete link more
0

answered 2015-03-18 04:06:46 -0600

visciddust gravatar image

Yes it is very useful and is safe to use. I use it myself.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

2 followers

Stats

Asked: 2015-03-17 12:31:35 -0600

Seen: 6,976 times

Last updated: Oct 30 '16