Are there any negative sides from running software from a .tar.gz?

Hi Fedora community,

I am aware of the golden rule that any software is only good as it’s developers.But, I am wondering what does the community think, are there any negative sides to running software from a tar.gz? I am also interested what are positive sides to running software from a tar.gz?

My assumption here is that you are asking about running an app that you download as a .tar.gz file then run the app.

The positive affect is that the software app is available and can be used.

The negative implications are that risks to your identity, software, machine, etc. are only at the level of trust you assign to that package and developer, and the site it comes from.

In most cases there is minimal risk involved, but ‘buyer beware’ is always the adage to apply when using something not explicitly tested, vetted, and verified as secure by the distribution managers for the OS in use. As with any software from any 3rd party site there is always some level of security risk and that risk must be taken into account by the user.

An additional negative implication is that, especially on a distro that is in constant development such as fedora, at some point the app you compiled locally may become incompatible with the OS and need updating. Any updates and compilations are on the shoulders of the user and not the distro normal software update procedures.

2 Likes

*.tar means that multiple files are combined to one. (Tape Archive)

*.gz means that the files are compressed as well. (GZip compression)

source stackoverflow

1 Like

So you are saying … don’t follow instructions to add third party repositories as risky as only Fedora is able to deliver trusted software … adding Intel OneAPI? NVIDIA Cuda? Microsoft Edge? Google Chrome? …
You can’t do it directly, only by side lanes being more or less functional. No wonder why ROS framework binaries are inaccessible, only for Ubuntu or RHEL 8 … if I connect Fedora workstation to IBM Cloud ressources, parent company of Red Hat, what unknown rule I’m breaking?

1 Like

No.
I am saying the user assumes the risk associated with adding 3rd party repos or installing compiled software from other sources. There are risks. The user needs to educate themselves on what those risks are and make the decision to use or not use that software.

3 Likes

Normally, application need dependancies (shared libraries, versions, etc) to run .

Some apps delivered in tar.gz format do package all dependancies . Some do not. More likely, it is the user that need to find out the required dependancies, translate the details to the platform it will be running (the document might mention them based on Arch, but I need to find out what they are on Fedora, etc) .

Package Manager, like dnf on Fedora, are developed to resolve dependancies and auto-install them if missing.

Appimage format normally package all dependancies, so it normally can run on supported distributions withuot installation of extra components.

2 Likes

Let’s list all the negatives first:

  • assuming it’s a binary that the tar.gz contains, it’ll probably be statically linked or will bundle all its dependencies which means it won’t be using system versions of the required libraries
  • if it’s the source that the tar contains, you, the user, must build the software as required to run it
  • using software from tars (with or without compiling) requires the user to place the various files in the right places. For example, the binary must be placed in a directory in $PATH, or the folder needs to be added to $PATH; icons need to put in the right locations for them to work and so on.
  • since rpm/dpkg/whatever package management system does not know about the tar, all modifications/updates need to be made by the user
  • related: if when “installing” the software, you overwrite system files, you can break your system (people have broken dnf by using pip with sudo for example—lots of topics on the forum about this)
  • making software from tars available to all users of the system can be tricky—all their $PATHs etc. need to be modified
  • making software from tars available and maintaining it (updates etc.) on multiple machines can be tricky too.
  • related: “uninstalling” the software can be a real pain—you have to effectively remove all files manually because no package management system is aware of the files that were installed
  • as noted, it is the users’ responsibility to check for security etc. when using tools directly from tars.

Pros:

  • you can run whatever you want, even if it’s not in the repositories
  • if the software if available as a pre-built tar, you don’t have to build it from source

I have used stuff directly from tars, but once I became a package maintainer I now build packages for everything I need, and where possible, add them to the repositories so others can use them too. There are cases where these can’t be done, but I still build rpms for personal use, just to make it easier for me to remove these when I want to. Also helps with maintaining them on the multiple systems I use (work, home, laptop etc.)

4 Likes

Did you mean “possibly”?

Lookup internet … NVidia Cuda, Intel OneAPI, … system requirements … high level developer frameworks need stable operating system. Fine, Fedora only supports Nouveau drivers, for the rest search elsewhere …
What kicks me is all this fluff and puff about compressed files from trusted sources.

That is twice from … ???

Please make your own topic if you really want to discuss this controversy.
The OP asked if there are any negative sides … and we listed them.

We cannot assume that everyone here is on the same level of knowledge. That’s why we try to convey the safest course of action in order not to tempt anyone to be lenient.

With increasing experience, these users will set their own standards and take responsibility for them selves.

By the way,

I gave you a question-mark because I all ready saw you do this with other Topics where not have been yours. Bring in such thoughts who not really are part of the topic. This degrades a simple request makes it unreadable and unnecessary long.

1 Like

Just a note: it is strongly suggested that the Nvidia run files should not be used. Please use the packaged versions that RPM Fusion provides—they are packaged to work correctly with the Fedora kernels and so on.

https://rpmfusion.org/Howto/NVIDIA

1 Like

High level development frameworks like DPC++, C++20, Cuda, Metropolis, Ominiverse, Issac, ROS2, … are blocked by a reference platform inspired by Red Hat now acquired by IBM with Power 10 CPU with fabulous localized/decentralized address range. What are you really thinking about ???

I dont quite understand what you’re saying, but in any case this is completely irrelevant here.

I’m afraid the forum is limited in scope to troubleshooting and helping Fedora users. This sort of discussion does not fit here. Please let us all limit our discussion to the topic at hand, and in general to troubleshooting and helping each other.