MaartenBaert / ssr

SimpleScreenRecorder, a screen recorder for Linux
http://www.maartenbaert.be/simplescreenrecorder/
GNU General Public License v3.0
2.57k stars 290 forks source link

Provide official AppImage #486

Open probonopd opened 8 years ago

probonopd commented 8 years ago

Would you be interested in providing an official AppImage?

Here is a video by SSR user Joe Collins that shows why this might be useful: https://www.youtube.com/watch?v=YAtS6XEwyQY

MaartenBaert commented 8 years ago

Sound like this could finally provide an easy way to install SSR on the distributions that don't have packages yet. I will try to generate one from the Ubuntu 12.04 package when I release the next SSR version.

probonopd commented 8 years ago

Excellent @MaartenBaert, thank you very much.

Here is the script I used to produce the AppImage; just replace trusty by 12.04. https://github.com/probonopd/AppImages/blob/master/recipes/simplescreenrecorder/Recipe

h1z1 commented 7 years ago

Pure insanity. Nice backdoor waiting to be implemented in that script. There's zero error checking, zero sanity checking, sources other files and quite distribution centric. Are the appimage campers seriously parading this as a solution on Github??

  #   URL=$(wget -q "https://s3.amazonaws.com/archive.travis-ci.org/jobs/$((ID+2))/log.txt" -O - | grep "https://transfer.sh/.*/appimagetool" | tail -n 1 | sed -e 's|\r||g')
  # fi
  URL="https://github.com/AppImage/AppImageKit/releases/download/continuous/appimagetool-${SYSTEM_ARCH}.AppImage"
  wget -c "$URL" -O appimagetool
  chmod a+x ./appimagetool
  set +x
  if ( [ ! -z "$KEY" ] ) && ( ! -z "$TRAVIS" ) ; then
    wget https://github.com/AppImage/AppImageKit/files/584665/data.zip -O data.tar.gz.gpg
    ( set +x ; echo $KEY | gpg2 --batch --passphrase-fd 0 --no-tty --skip-verify --output data.tar.gz --decrypt data.tar.gz.gpg )
    tar xf data.tar.gz
    sudo chown -R $USER .gnu*

shivers You guys are out of your minds.

MaartenBaert commented 7 years ago

@h1z1 What exactly are you referring to? Where did that piece of code come from?

Any package system has the potential of abuse, that's also true for my Ubuntu PPA or Arch Linux AUR packages. You are taking a risk even if you compile from source, unless you have literally read every line of code in the build scripts as well as the SSR source code itself. As a user you are relying on the developers to not abuse their power to push a malicious update. Sandboxing seems to be the only practical way to get real security, but in the case of SSR that would break the functionality.

probonopd commented 7 years ago

@h1z1 concrete suggestions for improvements are welcome. By the way, if @MaartenBaert would decide to do an official AppImage, he could of course properly sign it with GPG using his own private key and credentials.