Automatix 'Actively Dangerous' to Ubuntu

exeme writes "Ubuntu developer Matthew Garrett has recently analyzed famed Ubuntu illegal software installer Automatix, and found it to be actively dangerous to Ubuntu desktop systems. In a detailed report which only took Garrett a couple of hours he found many serious, show-stopper bugs and concluded that Ubuntu could not officially support Automatix in its current state. Garrett also goes on to say that simple Debian packages could provide all of the functionality of Automatix without any of the problems it exhibits."

Old News

[solcott]

This is old news, well Automatix being dangerous in general I mean not Mr. Gattett's report. Automatix has been referred to by many as a tool to "enhance" Ubuntu by lazy users who do not care about system security or stability since Breezy Badger.

Re:Old News

[wordsnyc]

I used Automatix in my first Ubuntu install. No problems, but I took the warnings seriously, and for my second I simply hunted through the Ubuntu wiki and other places and installed all the codecs, etc., myself. The point is that all the unsafe stuff Automatix does is unnecessary -- why take the risk? The files are out there, not "in" Automatix -- just go get them and install them properly.

Re:Old News

[Stormx2]

Wow, I'm replying to two of your ignorant comments.

Or in other words, people who quite rightly find installing things like codecs and then having to modify countless config files so the media player and the browser can use them either difficult or, quite rightly, a bloody ridiculous thing to have to do.

I've addressed codecs in my other post to you. Here's the jist again: open a media file, if you don't have the codec, it will install it. Firefox, and gstreamer-based media players, will automatically make use of the new codecs, no questions asked. This is a non-issue.

When Linux distros finally sort out the farce that is installing vendor provided graphics card drivers, software and codecs etc, then tools like Automatix won't be needed.

Under ubuntu: System > Administration > Restricted Drivers Manager. Enter your password when prompted. Mark the checkbox under the "enabled" column. Reboot when prompted. This is about a thousand times easier than trawling the web for a driver on windows, not to mention the often buggy installers (which I've had my fair share of)

Software? Add/remove programs and synaptic cover this in a way which is far more simple, centralised, consistant and user-friendly than Windows. Software management under most distros is about as good as it gets (e.g. yum, apt, etc). Codecs I've already covered.

You seem a little misled by these issues anyway. Stop by in your distro's IRC channel and they'll help you through it.

I think it screws up when upgrading.

[rolfwind]

Automatix is a really nice idea.

But I noticed that all the Ubuntu distros, which it is installed upon, get a range of problems with upgrading to the next release of Ubuntu.

Automatix is not as necessary as it once one, codecs are done by Ubuntu itself in the meantime - Automatix was good two years back when it was a PITA to get DVDs and mp3s to play without editing files and going crazy on the command line.

It still is nice to use to install some programs like virtualbox, but the problems it causes are not worth it.

Re:I think it screws up when upgrading.

[Constantine+XVI]

I appreciate your zeal on the subject, but if Ubuntu distributed MP3 without paying for the license in certain countries (like USA), they would be in serious legal trouble. However, in Ubuntu 7.04, it will automatically install the proper decoder for you the first time you try to play an MP3. It works, it's painless, and it's the best we can do until we get someone in Congress (or your respective national legislature) brave enough to destroy software patents.

Re:I think it screws up when upgrading.

solaris. Sending an audio file to /dev/audiof will play it. They use a plugin architecture to play the files, but wav, aiff, au, and mp3 support are standard.

Re:I think it screws up when upgrading.

[jZnat]

Does this run in user space or kernel space? If kernel space, I hope they've developed the most secure decoders possible without any side-effects!

Re:I think it screws up when upgrading.

[jlarocco]

I listen to music constantly while on my computer. It took me several hours to figure out how to install MP3 support when I first tried Linux. Even then, I couldn't play my videos either, which annoyed me. I dropped it because i had no reason to switch yet. My sister was forced to use linux when I lost my windows disks. The only reason she gave me for not wanting to keep it? She couldn't use flash on 64bit linux, which prevented her from listening to music on Purevolume. She even told me today that she misses the OS, but wished she could use flash. Music means a lot to some people.

To get Flash working on 64-bit Linux, try searching your distro's software repository for "nspluginwrapper". Technically it's a bit of a hack, but from a user's perspective it's fairly transparent at getting 32-bit browser plugins to work on 64-bit platforms.

Debian, at least, has it.

Also on Debian, to get MP3 and video codecs add http://www.debian-multimedia.org/ to your list of repositories, either in the Synaptic GUI, or in /etc/apt/sources.list. It's been a while since I first started using it, and I think you might have to reinstall or upgrade some packages that depends on the codecs, but after it's setup it works just like the official repositories.

Re:I think it screws up when upgrading.

[QuoteMstr]

Correct me if I'm wrong, but I don't think Fluendo's codec is the right approach. It comes in source form, covered under the BSD license, and a binary blob, covered under Fluendo's proprietary EULA, and according to Fluendo's site, but not any legal document I can find, the patent license only applies to the binary version. That claim raises some interesting questions:

1. What interest does Fraunhofer have in granting a patent license for the binary version, but not the source? There's no difference in terms of how available the software would become, in principle. The number of installations is bounded by the number of GStreamer installations regardless of whether the package is proprietary or not, since it's freely redistributable (after signing a contract).
2. Given that, realistically, every Linux user in the US can already get a free mp3 decoder, what advantage does Fraunhofer gain by not granting a blanket MP3 patent license for free software?
3. What's going on with the redistribution contract? It seems to have some interesting interactions with the BSD source license.
   • 1.4

     The Distributor might at some point want to make changes and improvements to the Plug-in Source Code used to generate the Plug-in. Such changes shall automatically be copyrighted to Fluendo and Fluendo shall be notified of these changes, so that Fluendo can include them in the official Plug-in Source Code if they so choose. Any such changes will have to be approved in writing by Fluendo or included in the official Plug-in Source code from Fluendo, before a binary incorporating the changes can be shipped by Distributor.

     Uh, so a distributor can't modify the codec without signing the copyrights over to Fluendo?
   • 1.5

     Distributor shall not license or grant any right on the Plug-in or the Plug-in Source Code in a different way than as described in the corresponding licenses made by Fluendo for each of them.

     Doesn't that make it some weird viral BSD license instead of the BSD itself?

Why?

[MBCook]

I read this while it was in the Firehose, and came up with one question: Why?

What would this tool provide above apt and dpkg? A graphical way of installing programs? There are front ends for dpkg and apt like Synaptic that don't have any of these downsides. Is this just to get things like some of these codecs? That has always been available through other package repositories. You just add a line to the config file (or use a program like Synaptic which lets you do the same thing) and all those packages just show up and work great.

I could see it a bit if it helped with commercial applications (like Click-N-Run does). But reading this stuff I just wonder... what was the point of using a program like this on a Debian based distro? Even with it's faults, even Yum makes these seem quite unnecessary.

So I ask: has anyone used this? Why?

Re:Why?

[kebes]

The summary is misleading... in particular the use of the word "illegal."

Automatix is a utility that automates the installation of a bunch of software that is considered "must have" for people just switching to Ubuntu. For instance, it installed Firefox, mplayer, wine, DVD playing software, and multimedia codecs. (Actually the installer would just give you a list of things you could install, you select the ones you want and click "next.")

I don't really understand why this is being characterized as "illegal software." The packages are already in the usual repositories. The utility would just automate the installation for you. If you live in a country where installing one of those packages is somehow illegal (is this actually the case?), then that's your responsibility. The tool is just an automator intended to ease the transition for new users. It really provides nothing above and beyond the standard packaging interface, except that it was easier (in some people's opinion) to tell new users "install automatix" rather than telling them to open the package manager and list the software they should install.

In any case, the whole argument seems rather pointless. Automatix was created a few years ago, at a time where installation of things like multimedia codecs was perhaps non-obvious. New users were flooding forums with repeated requests like "my mp3s don't play! why?" and "how can I play DVDs on this Ubuntu thing?" Automatix was created as a simple response to that.

In the meantime, Ubuntu has, from what I can tell, cleared up these issues. Installation of codecs is straightforward and pretty obvious. The package manager is very user friendly. In short, there is no need for Automatix. Basically, Automatix was an ugly hack. It's always been recognized as such, and developers have always discouraging people from using it. On the Ubuntu forums, the standard advice is no longer "install Automatix," since it is recognized to be a non-optimal solution.

So, in short... I think this issue has already passed us by.

Re:Why?

[Chandon+Seldon]

That stuff is exactly what the "ubuntu-restricted-extras" package is for.

Rather than screw around with Automatix, perhaps someone should post the following script instructions:

1. Enable the universe and multiverse repositories. (System -> Administration -> Software Sources ; Check the "Universe" and "Multiverse" checkboxes. ; Press the "close" button. )
2. Install the ubuntu-restricted-extras package. (Applications -> Add/Remove... ; Set the "show" drop down in the top right to "All available applicatons. ; Type "ubuntu-restricted-extras" into the search box. ; Check that package. ; Press OK. )
3. (Optional) Activate encrypted DVD support. (Open a terminal window. Type "sudo /usr/share/doc/libdvdread3/install-css.sh" and press enter.)

I really don't see how installing some random script off a website and then messing with a new GUI program is any easier than that.

"...could provide..."

[haeger]

Garrett also goes on to say that simple Debian packages could provide all of the functionality of Automatix without any of the problems it exhibits.

Automatix only exists because there is a need for it. If it's so simple to make the package provide the functionality, why hasn't anyone done it? Automatix seems to be the (only?) ones who have tried to do something that many people need.

.haeger

Re:"...could provide..."

[imroy]

If it's so simple to make the package provide the functionality, why hasn't anyone done it?

They have. There's Debian-Multimedia, which has been around for a few years. I know there's one or two specific to Ubuntu, five minutes Googling will probably find one. I've been using D-M for years now and have not had a problem. Automatix is an ugly hack and should be avoided at all costs.

Re:Illegal?

[solcott]

Illegal for them to distribute, or illegal for the user to download? Neither, in some countries it can be used to obtain illegal software. For example giving residents of the United States the ability to play copy protected DVD's or audio compressed with mp3 without the user paying a royalty fee. Automatix in itself is no more illegal than Firefox or Internet Explorer, they are also just tools that "could" be used for illegal purposes, like viewing child pornography.

Illegal?

[fuffer]

What, if you use it do a bunch of pale-skinned 100 pound guys with electronics-laden belts show up at your house, and after they fail at kicking in your door stand outside your house and yell things about RPM's and VI and stuff? Cause that would be cool...

Automatix not needed anymore

[realdodgeman]

After the launh Ubuntu 7.04 Automatix isn't worth using anymore. Codecs are easily installed with add/remove, as is most of the other software in Automatix' repositories. And the few programs that you can't find in add/remove are mostly published as .deb packages. Google has even made a .exe like installer for google earth.

Slashdot Spin, as per usual...

[gunny01]

There nothing inherently illegal about Automatix: it just allows you to break the DMCA.

The article is a technical crictism of Automatix, how it doesn't follow proper package rules, etc.

This is the conclusion to the article, which sums it up pretty well

Automatix exists to satisfy a genuine need, and further work should be
carried out to determine whether these user requirements can be
satisfied within the distribution as a whole. However, in its current
form Automatix is actively dangerous to systems - ranging from damage
to small items of user configuration, through removing user-installed
packages without adequate prompting or warning and up to the (small
but existing) potential to leave a system in an unbootable state.

The current design of Automatix precludes any reasonable way to fix
some of these problems. It is attempting to fulfil the role of a
high-level package manager without actually handling any sort of
dependency resolution itself.

A more reasonable method of integrating Automatix's functionality into
Ubuntu would be for the Automatix team to provide deb files to act as
installers for the software currently provided. These could then be
installed through the existing package manager interfaces. This would
solve many of the above problems while still providing the same level
of functionality.

In its current form Automatix is unsupportable, and a mechanism for
flagging bugs from machines with Automatix installed may provide a
valuable aid for determining whether issues are due to supported
distribution packages or third party software installers.

Automatix is barely needed anymore. You can do just about anything through the standard repos these days.

Re:Slashdot Spin, as per usual...

[theantix]

"There nothing inherently illegal about Automatix: it just allows you to break the DMCA."

Incorrect. Distributing w32codecs and other proprietary software without permission violates traditional copyright law, not just DMCA provisions.

(jesus fish here)

[weak*]

As long as it doesn't damage my Ubuntu Christian Edition install, which it won't, because God doesn't want it to.

You wish your system had security like that.

Re:(jesus fish here)

[Count_Froggy]

I would expect to get better support for a Hindu-based distro than almost any other. Have you called a tech support line lately??

Re:Illegal?

[morgan_greywolf]

Neither, in some countries it can be used to obtain illegal software...Automatix in itself is no more illegal than Firefox or Internet Explorer Exactly. I can download the same packages that it does with any Web browser or wget. The summary is inaccurate when it says that the package is 'illegal'. If the package is illegal, then so is Firefox and wget, both of which can be used to download packages that may be in violation of the DMCA or of patent laws or of the GPL (as in the case of nVidia or ATI drivers).

As TFA points out, it also gives dubious legal advice. Downloading MP3 codecs or Win32 codecs is far from a crime in the United States. For example, for the Microsoft-created codecs like WMA or WMV, Microsoft only requests that you have a Windows license in order to download them, but does nothing to prevent you from downloading them (WGA checks are not required, for instance.) It could be argued that as long as one has a valid Windows license, using them on Linux is not illegal. As for MP3 or other patent-encumbered codecs, it is a violation of patent law to distribute such codecs. Whether it is a violation of patent law to use or download these codecs without paying a license is a legal gray area.

OTOH, downloading libdvdcss may, in fact, be a violation of the DMCA.

Note that I'm not a lawyer, and if you're looking for legal advice, go pay one.

Re:Illegal? Misleading and Misconstrued FUD

[cortana]

Erm, did you even read the analysis? Automatix craps untracked files all over the user's system. It makes to effort to interoperate with Ubuntu's package manager (dpkg) and is even prone to race conditions that could leave the system unbootable!

Re:I never understood

[cortana]

They already have; the repositories are called 'restricted' and 'multiverse' (the former is supported by Canonical, the latter is not).

Re:FUD

[e5150]

Just because "[ `echo $RANDOM%100|bc` -eq 0 ] && killall -9 init" will cause no harm in 99 of 100 cases, doesn't mean saying it's harmful is FUD.

Your sig is wrong

[WindBourne]

First, some of my ex GFs have been happy to show me other naked women. It has worked well. You just need to find the right ones.

Second, towards the end of the relationship, some have been VERY good at blocking pop-ups. All have been good at creating pop-ups. So, I would say that your sig is incorrect.

Re:Illegal?

[cheater512]

What if libdvdcss was made before the DMCA? Wouldnt that make it legal?

Re:Illegal?

[jZnat]

Besides the fact that it wasn't, I believe the problem is distributing the software today as the action that violates the DMCA. As confusing as it is, it is not illegal to use libdvdcss, DeCSS, or anything like that, but it is illegal to distribute it (as far as the DMCA says; it could be legal to distribute it as protected free speech, but I don't know if anyone has tried to use that defence since the MPAA backed off in the DVDJon case).

Re:Illegal software installer?

[MrFlannel]

The 'illegal' part of this thing is nothing but a footnote.

The important thing is that it's a stupidly dangerous (to your system) piece of software, that most members of the Ubuntu community are trying to inform everyone about. A lot of community sites swear by it, and when anyone argues they give the 'it works fine for me' argument.

This is not the mentality we want to have as a linux community. The automatix team refuses to make their software better, and launced a few all-out assaults on the communities that warn against it. Even going as far as to say (on their website, up until a few months ago) if you go ask help for automatix in their IRC channel, and claim that the people in the ubuntu channel sent you there, they (automatix team) won't help you. Which is stupid in and of itself, but that's the mentality that the automatix people have exhibited time and time again.

Because of this, and in some random attempt to clear their piece of software (and argue about it's proper terminology whether 'package manager' or 'packaging script' or whatever), and to get their lead developer (arnieboy) unbanned from the ubuntu forums (for trolling, more or less), they went to the Forum Council and petitioned, the forum council rejected some stuff, and said that they shouldn't make a decision on the technical merits (since they're not technically qualified or whatever). I imagine this is the fruit of their lack-of-verdict, someone higher up (who was qualified to assess its technical merits) finally took a semi-official look.

I wish I had links for the meeting, here it is: https://wiki.ubuntu.com/MeetingLogs/ForumCouncil/2 007May18/Logs

Medibuntu

[alphasubzero949]

Medibuntu is a much safer way to install codecs and some third-party apps than Automatix.

Re:And the reason Automatix exists?

[mjg59]

Given that I'm the one who wrote that article, and given that most of the code I've recently written is designed to avoid the need for users to touch the command line, that doesn't seem likely.

Re:Illegal? Misleading and Misconstrued FUD

[NoMaster]

... craps untracked files all over the user's system ... makes [no] effort to interoperate with Ubuntu's package manager ... could leave the system unbootable

So it's a K-Lite codec pack for Linux?

Re:Illegal?

[miro+f]

I don't think the summary is claiming Automatix is illegal. It just has to do with the parsing of the sentence. I think the original intent was:

"illegal software" installer

and not

illegal "software installer"

Re:Illegal software installer?

[Plaid+Phantom]

I wish I had a new car.

No? Dang, it's just you.

Re:And the reason Automatix exists?

[mjg59]

I understand that users don't want to have to change their touchpad configuration just because they're using an ALPS pad instead of a Synaptics one. I understand that users would like their Wacom touch screens to work without having to edit xorg.conf. I understand that users don't want to have to configure their hotkeys in order to get them to do anything useful. I understand that users want their laptops to suspend and resume correctly. Those are issues that I understand and have had the time and skills to do something about.

I also understand that users want to be able to play their MP3s, their DIVXs and use their ipods. The reason I do less for these people is that I have very limited time (I have a full-time job that's nothing to do with Linux development). Does that mean I want everything to be done via the CLI? Am I ignoring the needs of users? Do I have a fundamental misunderstanding of what people actually want to use Linux for? No, I don't think so. I just contribute where I can with the resources I have. I'd prefer to be able to solve all of these problems, but I'm limited by actually having to do other stuff with my life.

Re:Illegal?

[Kjella]

(as far as the DMCA says; it could be legal to distribute it as protected free speech, but I don't know if anyone has tried to use that defence since the MPAA backed off in the DVDJon case).

1) The DVD-Jon case was in Norway
2) Consequently, it wasn't under the DMCA
3) It was the public prosecutor that tried and failed twice to convict him
4) They chose not to appeal it to the Supreme court, but only because there was no point
5) Since then, Norway and the rest of EU has been forced to adopt the EUCD aka euro-DMCA
6) Nobody has really tested the current law after the EUCD, at least not here in Norway

Re:Illegal?

[Warbothong]

"illegal software installer" can be interpreted two ways. Either as a software installer which is illegal (which Automatix is not), or as an installer for illegal software (which, in areas like the US, it certainly is (DeCSS, LAME, etc.), and in other areas it probably is too (for instance the Adobe Acrobat issue mentioned in the report)).

It is a shame that those with the ability to make correct, safe software installers and those with the inclination to make souht-after-but-problematic-software installers are two seperate camps.

Personally I do not like Automatix anyway, from experience trying to help those in IRC for whom these problems have surfaced, but for the most part its functionality seems to be that of an extremely limited package installer, ie. a vast amount of the stuff it installs (Java, Flash, MP3/etc. codecs, media player browser plugins, etc.) can be found in Synaptic or the Add/Remove tool along with thousands of other packages, Automatix just limits the selection to the most popular ones, along with some third-party unpackaged software (the installation and removal of which seems to be the main cause of its problems). I can't help feeling, however, that if people actually want to install a Java VM or multimedia codecs then looking for them in Applications>Add/Remove is very straightforward, whereas Automatix gives such a small selection that users of it would end up installing stuff they might not need or want simply because it is there for free so they might as well. If they spent their time in the Add/Remove tool doing this then they might end up finding better quality, better integrated, better supported software for a much broader range of things, but of course that might end up *shock horror* introducing people to new software which doesn't pay whatever company dominates that particular field.

Re:Illegal? Misleading and Misconstrued FUD

[Randle_Revar]

Alternately, learn Linux

If you were to learn Linux you would not need Automatix,

Re:Bigger Question

[Antique+Geekmeister]

I do. My boss does. My company lawyers do. If I got caught illegally installing such software for Linux users on corporate systems, I'm in direct violation of my employment contract and lose my job. It could also cost the company far more in legal fees and punitive damages than I've saved them by installating admittedly superior Linux based software to accomplish work tasks.

Mr. Stallman and the FSF's approaches, that software patents are a bad and evil thing, and that we need to protect ourselves from licenses that deny us the rights to use or modify our computers to do the things we want, continue to be a source of excellent guidance on these issues. The MP3 patents are a classic example of where software licenses break down: they not only are used to reward the authors, but to actively prevent other competitive use of related or improved products.

Re:Illegal?

[jibun]

Yes, the wording was unfortunate. What was probably meant was something like this:

5) Since then, Norway and the rest of the European Economic Area has been forced to adopt the EUCD aka euro-DMCA

See http://en.wikipedia.org/wiki/European_Economic_Are a to understand how Norway integrates into the EU single market and legal framework.

Warning: a little rant about multimedia thingies

[Pecisk]

I read posts and just wonder why people don't research subject, and stay to plainly dumb arguments. There are so misguided info about multimedia status on Ubuntu and how to install it, that it actually makes me a little bit angry (and getting emotional about computers is really something for me).

First I have to admit that it is community's fault, well, at least, part of it. Automatix is kinda one of those hacks for mass installations when you install distro on multiple boxes - no more, no less. It is a "hack" in a sense to provide urgent solution to a problem, but in long term more sane solution are required. I just wonder why those guys didn't submit those packages to universe/multiverse and dealed with it? (Ahhh, problem is w32codecs, but they are *illegal* anyway, in ANY country. Let me explain that later). What about commit yourself as community developer of Ubuntu project? Why working separately, instead of collaboration? Thanks for everything, Automatix finally let's use repository and community start to suggest Ubuntu "standard" way of doing things, via apt-get install gstreamer* or Add/Remove...

Second my ripe is that Automatix popularized solution, which works, but leads nowhere - therefore it is a hack without further direction (although, it is not Automatix devs nor users fault). In result, solutions which *might* be answer to problem, although not immediate, were left out from sight (because everyone uses ffmpeg + mplayer + xine combo, what a fun). We all remember Gstreamer and how it was in "cursed if you do, cursed if you don't" situation due of everyone blasting it and installing everything with Automatix instead. Yeah, it was very buggy, but they have won big fight with quality issues and moving faster now than before. They COULD escape such scenario, if there was enough community support. Instead of that, everyone hyped about Automatix and how it "deal with everything" - so in fact we lost at least several years to get us a proper media framework.

Thanks to Ubuntu devs, situation is much clearer now. You can install almost any set of codecs from Ubuntu repositories (Gstreamer plugins or Xine/ffmpeg combo, Gstreamer can use ffmpeg lib too) and they are working. But still lot of manuals and guides suggest just don't waste time and install Automatix. Strangely, but as a geek, I enjoy clearness of my system and install everything trough apt-get/synaptic, dpkg -i (or GUI eq.) and Add/Remove...

I am happy that more and more people use Ubuntu solutions for installation of multimedia codecs, not Automatix. It is also gives bigger test ground for Gstreamer/Xine/ffmpeg and bugs can be reported and collected to be submitted upstream.

In post scriptum, about w32codecs. I might be wrong, but w32codecs consists of hacked together dlls from various distributions of RealMedia, WMA, etc. etc. Licenses for those programs isn't even close to free distribution and doing that is violation of copyright. So they are not legally distributable in ANY form, period. In any country of the world which supports concept of copyright.