On Debian-based distros, when an app is available as a DEB or an AppImage (that doesn’t self-update), but no APT repository, PPA or Flatpak, the only option is to manually download each update, and usually manually check even whether there are updates.

But, what if those would be upgraded at the same time as everything else using the tools you’re familiar with ?

dynapt is a local web server that fetches those DEBs (and AppImages to be wrapped into DEBs) wherever those are, then serves these to APT like any package repository does.

I started building it a few months ago, and after using it to upgrade apps on my computers and servers for some time, I pre-released it for the first time last week.

The stable version will come with a CLI wizard to avoid this manual configuration.

Feedback is welcome :)

  • KaKi87@jlai.luOP
    link
    fedilink
    arrow-up
    13
    ·
    4 months ago

    Well, I’m just automating what people currently have to do manually : visit GitHub and download DEB and install DEB.

    If the automated process would be dangerous then the manual process also would be, and that would be on the maintainer for not providing an APT repository or a Flatpak, not on the user for just downloading from GitHub.

    • cqst@lemmy.blahaj.zone
      link
      fedilink
      arrow-up
      4
      ·
      edit-2
      4 months ago

      Well, I’m just automating what people currently have to do manually : visit GitHub and download DEB and install DEB.

      Yeah. You should never do that. Like ever. Build from source; or use a vendored tarball. https://wiki.debian.org/DontBreakDebian

      .deb is a terribly insecure nightmare thats held up by the excellent debian packagers, gpg , and checksums, and stable release model. don’t use .deb files.

        • cqst@lemmy.blahaj.zone
          link
          fedilink
          arrow-up
          3
          ·
          edit-2
          4 months ago

          I’m and end user

          Yeah, we all are. What’s your point?

          End users are also developers. All computer users are developers. You are developing.

          user working for end users

          By making a script that lets me get backdoors and shitty packages with ease? The linux package distribution system is a nightmare, Debian is the least bad approach. There is basically always a better option to using a .deb file. If you come across something that isn’t packaged, I recommend Flatpak, building from source (and installing unprivileged), or using the developers vendored tarball (installing unprivileged).

          https://wiki.debian.org/SecureApt

          By using local .debs you lose the benefit of:

          Reproducible builds

          GPG checksums

          Stable release model

          debian security team

          • KaKi87@jlai.luOP
            link
            fedilink
            arrow-up
            6
            ·
            4 months ago

            My point is that I’m working a solution for end users.

            The solutions you’re offering are not user-friendly.

    • ulkesh@beehaw.org
      link
      fedilink
      English
      arrow-up
      1
      ·
      4 months ago

      It’s a cool concept, but automation breeds laziness (by design, to an extent) and lazy end users tend to shoot themselves in the foot. So it isn’t great for security, but it also isn’t that much worse for security :)

      Since some people with money tend to be litigious, and, of course, I am not a lawyer, I would advise a warning message (or part of the license if you don’t want to muck up your CLI), if you don’t have one, to force the user to accept and acknowledge that the software they are installing using this tool is not verified to be safe.

      • KaKi87@jlai.luOP
        link
        fedilink
        arrow-up
        2
        ·
        4 months ago

        How is the manual step more secure though ?

        What does the user do before downloading a DEB that makes that gap between manual and automated ?

        I’d be willing to try and reproduce that, but I don’t see anything.

        • ulkesh@beehaw.org
          link
          fedilink
          English
          arrow-up
          1
          ·
          4 months ago

          I didn’t say it was more secure, I said it’s about the same.

          The difference is a person being forced to go to a website to download software means more steps and more time to consider the safety of what they’re doing. It’s part psychological.

          Not all such packages are retrieved from GitHub, I remember downloading numerous .deb files direct over the past 25 years (even as recent as downloading Discord manually some years back).

          The main point I’m making is that you should legally protect yourself, it’s a low and reasonable effort.

          • KaKi87@jlai.luOP
            link
            fedilink
            arrow-up
            1
            ·
            4 months ago

            I didn’t say it was more secure, I said it’s about the same.

            You said automation breeds laziness (by design, to an extent) and lazy end users tend to shoot themselves in the foot.

            So, my question is : what part of automating download of DEBs from a specific source can be shooting oneself in the foot compared to doing the same thing manually every time ?

            you should legally protect yourself

            The MIT license will take care of that.

            Also, to force the user to accept and acknowledge that the software they are installing using this tool is not verified to be safe is inducing fear and/or guilt, therefore is bad UX, I’m not doing that.

            • ulkesh@beehaw.org
              link
              fedilink
              English
              arrow-up
              1
              ·
              4 months ago

              I already answered that first question.

              And then all those app store fronts that say whether a flatpak is verified or not is inducing fear and/or guilt and is therefore bad UX. It’s not, but you are free to have your opinion.

              Have fun then, I’m done wasting my time here.