antheas
commented
5 months ago Hi dreirund, first off, the command log you posted shows that you did not follow the install instructions. Please do that in the future before opening issues. Handheld Daemon is not bound to your user right now.
I will agree with you that there is a gray area with allowing Handheld Daemon to pull binaries from third party sources when it is installed by a package manager. It was not a priority to fix as Handheld Daemon is not yet in upstream repositories.
However, the URL you posted is secured by HTTPS and on a public known repository which is also write protected to the same authors the PyPi download and the main repository is. This standard is in line with what is used by the majority of software in the market right now. And it only runs when the user presses it.
The current script does nothing when Decky is not installed in your system. Updating Decky is core functionality right now expected by most users, so it can not be moved to an advanced section.
As for the install instructions themselves, unfortunately this unclean form of installation is what is used for decky plugins.
I just played around with
hhd-uiand I found a button "update Decky" there.It apparently did nothing, but on the terminal where
hhdruns it is printed:So it actually invokes remote file download and execution as the local user. Without any warning. Without any looking-at.
This is a major security issue:
Also, it maybe does stuff on a system even when there is no "Decky" or when the decky plugin is installed via the package manager.
Please remove the option, or move it to an advanced section with an explicit explanation of whait does in the background and a big warning.
Regards!