scary installation method for linux

spetey · 11-16-2023, 07:21 PM

First, let me say I am so grateful for Calibre! Thank you all for your work developing and supporting it.

I came to the forum because the installation method for linux makes me really nervous, and I can't imagine I'm the only one. Copy and paste a terminal command that downloads a bash script off the web and runs it sudo?! Um ... I'm no security expert, and maybe I'm naive to think AppImage or package managers are somehow more secure, but that just does not sound like a generally good policy.

Is there any talk of getting it into Ubuntu repos or anything like that?

Thanks in advance for thoughts.

kovidgoyal · 11-16-2023, 10:00 PM

calibre is available in all repos but use the official binaries if you want support. A distribution version of any software is almost always strictly worse than the official version, since its the ofifcial version plus random patches added by people of lets say, very varying competence.

There is nothing scary about running bash scripts from the internet. And you dont need to run it under sudo if you dont want to, it supports an isolated mode as well.

And just for the record, the installer is a python script, not a bash script, its just wrapped in a bash script to find the right python binary to run the actual installer with.

rantanplan · 11-17-2023, 04:38 AM

For what it's worth, there's a flatpak available on flathub. It's always trailing behind for a few days. If that's acceptable to you, here's the link:
https://flathub.org/de/apps/com.calibre_ebook.calibre

Quoth · 11-17-2023, 05:04 AM

Flatpack is more problems than the script from Kovodgoyal
If you don't trust his script, why trust Calibre?
If you trust Calibre, then trust the script. Same person.

Flatpacks also update without asking for a password/sudo. I've replaced all but one now with either proper deb packages or direct installs.

A flatpack is extra complexity, a 3rd party and less secure updating.

There is nothing more scary about the terminal script than a obfuscated GUI install. Steam, Viber (by Rakuten than owns Kobo) and Brother's print/scanner drivers all offer terminal scripts for install. So does WINE, Thunderbird, Waterfox etc. It's not inherently less secure or scary than downloading a Windows msi file to desktop and double clicking. For decades the only way to install was in a console.

theducks · 11-17-2023, 10:10 AM

But only use the official script on the download page. There are MILLIONS OF CALIBRE USERS. https://calibre-ebook.com/dynamic/calibre-usage in the last 60 days. I think if there was scary, we would hear .

If you are worried about issues, check here (MR) before updating.

JSWolf · 11-17-2023, 02:14 PM

Quote:

Originally Posted by spetey

First, let me say I am so grateful for Calibre! Thank you all for your work developing and supporting it.

I came to the forum because the installation method for linux makes me really nervous, and I can't imagine I'm the only one. Copy and paste a terminal command that downloads a bash script off the web and runs it sudo?! Um ... I'm no security expert, and maybe I'm naive to think AppImage or package managers are somehow more secure, but that just does not sound like a generally good policy.

Is there any talk of getting it into Ubuntu repos or anything like that?

Thanks in advance for thoughts.

That's why you should use Windows. Nothing scary about it. It just works.

ownedbycats · 11-17-2023, 05:47 PM

Quote:

Originally Posted by JSWolf

That's why you should use Windows. Nothing scary about it. It just works.

Just bloody stop.

DNSB · 11-17-2023, 08:09 PM

Quote:

Originally Posted by JSWolf

That's why you should use Windows. Nothing scary about it. It just works.

Really, Jon? Those posts I see from Windows users who are having issues are a figment of my imagination?

And, David, stop responding to the troll.

BetterRed · 11-17-2023, 08:49 PM

The number of Linux users with calibre related problems is disproportionate to their number by a country mile… ditto the other four multi-platform products I use.

DNSB · 11-17-2023, 09:46 PM

Quote:

Originally Posted by BetterRed

The number of Linux users with calibre related problems is disproportionate to their number by a country mile… ditto the other four multi-platform products I use.

Anyone in possession of a moiety of their mind will admit quite a few programs have more issues on Linux proportionate to the number of users than the same programs on MacOS or Windows when using the GUI. This does not lead me to conclude that Windows or MacOS never have issues. Anyone who has participated in any of the Windows Beta or Preview programs knows that all too well.

spetey · 11-21-2023, 11:16 AM

I sure didn't mean to start a Windows-Linux fight.

I am grateful for the thoughts. I mean, I am of course consoled by the fact that it is both open-source and widely-used, and that if I were a better coder I could check the script myself. (FWIW, I asked Claude's AI to look it over and, with many a disclaimer, it said there thatwere no security red flags.)

I guess I'm just paranoid enough to wonder - not specifically about kovidgoyal, mind you, but about anyone in such a position - whether they might not be tempted someday to abuse such trust once it's been built, to turn a handsome profit with ransomware or whatever. Meanwhile I'll back up and/or encrypt my stuff as securely as I can, and then trust-but-verify.

Thanks again, sincerely, by the amazing app - in general this kind of open-source software just restores my faith in humanity, despite the appearance of deep skepticism here.

theducks · 11-21-2023, 12:23 PM

Quote:

Originally Posted by spetey

I guess I'm just paranoid enough to wonder - not specifically about kovidgoyal, mind you, but about anyone in such a position - whether they might not be tempted someday to abuse such trust once it's been built, to turn a handsome profit with ransomware or whatever. Meanwhile I'll back up and/or encrypt my stuff as securely as I can, and then trust-but-verify.
.

You run Linux.
The ransomware folk go after Windows users because there are so many, that even a 1% return on (code and deploy) effort is HUGE.

arjaybe · 11-21-2023, 01:36 PM

I'm using the Calibre that comes with my distribution (MX, based on Debian.) I guess I got lucky and avoided all those incompetent developers.-) I have used the official binaries in the past, also without problems. spetey, if you use the packages in your distro comfortably, you can use Kovid's binaries equally comfortably.

JSWolf · 11-21-2023, 04:40 PM

Quote:

Originally Posted by arjaybe

I'm using the Calibre that comes with my distribution (MX, based on Debian.) I guess I got lucky and avoided all those incompetent developers.-) I have used the official binaries in the past, also without problems. spetey, if you use the packages in your distro comfortably, you can use Kovid's binaries equally comfortably.

You are best to use calibre from the official site and not from any repository. There are more problems from repositories then the official site.

OregaNooo · 11-22-2023, 01:31 PM

> Copy and paste a terminal command that downloads a bash script off the web and runs it sudo?! Um ...

Well, I guess that's a good point. I didn't know what I was doing and took that risk since the repos were out of date and flathub was problematic.

Hope that doesn't get hacked or anything. Or pressured to put a back door on your machine.

Maybe run it in a vm?

11-16-2023, 07:21 PM	#1
spetey Junior Member Posts: 4 Karma: 10 Join Date: May 2020 Device: cross-platform	scary installation method for linux First, let me say I am so grateful for Calibre! Thank you all for your work developing and supporting it. I came to the forum because the installation method for linux makes me really nervous, and I can't imagine I'm the only one. Copy and paste a terminal command that downloads a bash script off the web and runs it sudo?! Um ... I'm no security expert, and maybe I'm naive to think AppImage or package managers are somehow more secure, but that just does not sound like a generally good policy. Is there any talk of getting it into Ubuntu repos or anything like that? Thanks in advance for thoughts.

11-17-2023, 05:04 AM	#4
Quoth the rook, bossing Never. Posts: 11,164 Karma: 85874891 Join Date: Jun 2017 Location: Ireland Device: All 4 Kinds: epub eink, Kindle, android eink, NxtPaper11	Flatpack is more problems than the script from Kovodgoyal If you don't trust his script, why trust Calibre? If you trust Calibre, then trust the script. Same person. Flatpacks also update without asking for a password/sudo. I've replaced all but one now with either proper deb packages or direct installs. A flatpack is extra complexity, a 3rd party and less secure updating. There is nothing more scary about the terminal script than a obfuscated GUI install. Steam, Viber (by Rakuten than owns Kobo) and Brother's print/scanner drivers all offer terminal scripts for install. So does WINE, Thunderbird, Waterfox etc. It's not inherently less secure or scary than downloading a Windows msi file to desktop and double clicking. For decades the only way to install was in a console. Last edited by Quoth; 11-17-2023 at 05:09 AM.

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Calibre installation on linux	us185damiani	Calibre	1	01-13-2021 11:46 AM
Calibre 2.0, Linux, Chinese input method	anavin	Calibre	1	08-23-2014 02:19 AM
Stupid Linux installation problem	Saioko	Calibre	3	04-30-2013 02:25 PM
Installation for Linux - Why so hard?	Wentworth	Calibre	9	08-15-2011 10:39 AM
Planned installation method?	Manichean	OpenInkpot	4	07-26-2008 05:03 AM

11-16-2023, 10:00 PM	#2
kovidgoyal creator of calibre Posts: 43,860 Karma: 22666666 Join Date: Oct 2006 Location: Mumbai, India Device: Various	calibre is available in all repos but use the official binaries if you want support. A distribution version of any software is almost always strictly worse than the official version, since its the ofifcial version plus random patches added by people of lets say, very varying competence. There is nothing scary about running bash scripts from the internet. And you dont need to run it under sudo if you dont want to, it supports an isolated mode as well. And just for the record, the installer is a python script, not a bash script, its just wrapped in a bash script to find the right python binary to run the actual installer with.

11-17-2023, 04:38 AM	#3
rantanplan Guru Posts: 623 Karma: 8592298 Join Date: Nov 2019 Location: Wuppertal, Germany Device: Paperwhite (2021), Boox Note Air 2+, Kobo Clara 2E, Tolino Vision 6	For what it's worth, there's a flatpak available on flathub. It's always trailing behind for a few days. If that's acceptable to you, here's the link: https://flathub.org/de/apps/com.calibre_ebook.calibre

11-17-2023, 10:10 AM	#5
theducks Well trained by Cats Posts: 29,809 Karma: 54830978 Join Date: Aug 2009 Location: The Central Coast of California Device: Kobo Libra2,Kobo Aura2v1, K4NT(Fixed: New Bat.), Galaxy Tab A	But only use the official script on the download page. There are MILLIONS OF CALIBRE USERS. https://calibre-ebook.com/dynamic/calibre-usage in the last 60 days. I think if there was scary, we would hear . If you are worried about issues, check here (MR) before updating.

11-17-2023, 08:49 PM	#9
BetterRed null operator (he/him) Posts: 20,575 Karma: 26954694 Join Date: Mar 2012 Location: Sydney Australia Device: none	The number of Linux users with calibre related problems is disproportionate to their number by a country mile… ditto the other four multi-platform products I use.

11-21-2023, 11:16 AM	#11
spetey Junior Member Posts: 4 Karma: 10 Join Date: May 2020 Device: cross-platform	I sure didn't mean to start a Windows-Linux fight. I am grateful for the thoughts. I mean, I am of course consoled by the fact that it is both open-source and widely-used, and that if I were a better coder I could check the script myself. (FWIW, I asked Claude's AI to look it over and, with many a disclaimer, it said there thatwere no security red flags.) I guess I'm just paranoid enough to wonder - not specifically about kovidgoyal, mind you, but about anyone in such a position - whether they might not be tempted someday to abuse such trust once it's been built, to turn a handsome profit with ransomware or whatever. Meanwhile I'll back up and/or encrypt my stuff as securely as I can, and then trust-but-verify. Thanks again, sincerely, by the amazing app - in general this kind of open-source software just restores my faith in humanity, despite the appearance of deep skepticism here.

11-21-2023, 01:36 PM	#13
arjaybe Wizard Posts: 1,003 Karma: 12012526 Join Date: Aug 2013 Location: Canada Device: Sony PRS-650	I'm using the Calibre that comes with my distribution (MX, based on Debian.) I guess I got lucky and avoided all those incompetent developers.-) I have used the official binaries in the past, also without problems. spetey, if you use the packages in your distro comfortably, you can use Kovid's binaries equally comfortably.

11-22-2023, 01:31 PM	#15
OregaNooo Member Posts: 19 Karma: 10 Join Date: Nov 2022 Device: PW5	> Copy and paste a terminal command that downloads a bash script off the web and runs it sudo?! Um ... Well, I guess that's a good point. I didn't know what I was doing and took that risk since the repos were out of date and flathub was problematic. Hope that doesn't get hacked or anything. Or pressured to put a back door on your machine. Maybe run it in a vm?

Advert

Advert