Automatix 'Actively Dangerous' to Ubuntu

exeme writes "Ubuntu developer Matthew Garrett has recently analyzed famed Ubuntu illegal software installer Automatix, and found it to be actively dangerous to Ubuntu desktop systems. In a detailed report which only took Garrett a couple of hours he found many serious, show-stopper bugs and concluded that Ubuntu could not officially support Automatix in its current state. Garrett also goes on to say that simple Debian packages could provide all of the functionality of Automatix without any of the problems it exhibits."

Old News

[solcott]

This is old news, well Automatix being dangerous in general I mean not Mr. Gattett's report. Automatix has been referred to by many as a tool to "enhance" Ubuntu by lazy users who do not care about system security or stability since Breezy Badger.

Re:Old News

[wordsnyc]

I used Automatix in my first Ubuntu install. No problems, but I took the warnings seriously, and for my second I simply hunted through the Ubuntu wiki and other places and installed all the codecs, etc., myself. The point is that all the unsafe stuff Automatix does is unnecessary -- why take the risk? The files are out there, not "in" Automatix -- just go get them and install them properly.

I think it screws up when upgrading.

[rolfwind]

Automatix is a really nice idea.

But I noticed that all the Ubuntu distros, which it is installed upon, get a range of problems with upgrading to the next release of Ubuntu.

Automatix is not as necessary as it once one, codecs are done by Ubuntu itself in the meantime - Automatix was good two years back when it was a PITA to get DVDs and mp3s to play without editing files and going crazy on the command line.

It still is nice to use to install some programs like virtualbox, but the problems it causes are not worth it.

Re:I think it screws up when upgrading.

[Constantine+XVI]

I appreciate your zeal on the subject, but if Ubuntu distributed MP3 without paying for the license in certain countries (like USA), they would be in serious legal trouble. However, in Ubuntu 7.04, it will automatically install the proper decoder for you the first time you try to play an MP3. It works, it's painless, and it's the best we can do until we get someone in Congress (or your respective national legislature) brave enough to destroy software patents.

Re:I think it screws up when upgrading.

solaris. Sending an audio file to /dev/audiof will play it. They use a plugin architecture to play the files, but wav, aiff, au, and mp3 support are standard.

Re:I think it screws up when upgrading.

[jlarocco]

I listen to music constantly while on my computer. It took me several hours to figure out how to install MP3 support when I first tried Linux. Even then, I couldn't play my videos either, which annoyed me. I dropped it because i had no reason to switch yet. My sister was forced to use linux when I lost my windows disks. The only reason she gave me for not wanting to keep it? She couldn't use flash on 64bit linux, which prevented her from listening to music on Purevolume. She even told me today that she misses the OS, but wished she could use flash. Music means a lot to some people.

To get Flash working on 64-bit Linux, try searching your distro's software repository for "nspluginwrapper". Technically it's a bit of a hack, but from a user's perspective it's fairly transparent at getting 32-bit browser plugins to work on 64-bit platforms.

Debian, at least, has it.

Also on Debian, to get MP3 and video codecs add http://www.debian-multimedia.org/ to your list of repositories, either in the Synaptic GUI, or in /etc/apt/sources.list. It's been a while since I first started using it, and I think you might have to reinstall or upgrade some packages that depends on the codecs, but after it's setup it works just like the official repositories.

"...could provide..."

[haeger]

Garrett also goes on to say that simple Debian packages could provide all of the functionality of Automatix without any of the problems it exhibits.

Automatix only exists because there is a need for it. If it's so simple to make the package provide the functionality, why hasn't anyone done it? Automatix seems to be the (only?) ones who have tried to do something that many people need.

.haeger

Re:"...could provide..."

[imroy]

If it's so simple to make the package provide the functionality, why hasn't anyone done it?

They have. There's Debian-Multimedia, which has been around for a few years. I know there's one or two specific to Ubuntu, five minutes Googling will probably find one. I've been using D-M for years now and have not had a problem. Automatix is an ugly hack and should be avoided at all costs.

Re:Illegal?

[solcott]

Illegal for them to distribute, or illegal for the user to download? Neither, in some countries it can be used to obtain illegal software. For example giving residents of the United States the ability to play copy protected DVD's or audio compressed with mp3 without the user paying a royalty fee. Automatix in itself is no more illegal than Firefox or Internet Explorer, they are also just tools that "could" be used for illegal purposes, like viewing child pornography.

Illegal?

[fuffer]

What, if you use it do a bunch of pale-skinned 100 pound guys with electronics-laden belts show up at your house, and after they fail at kicking in your door stand outside your house and yell things about RPM's and VI and stuff? Cause that would be cool...

Slashdot Spin, as per usual...

[gunny01]

There nothing inherently illegal about Automatix: it just allows you to break the DMCA.

The article is a technical crictism of Automatix, how it doesn't follow proper package rules, etc.

This is the conclusion to the article, which sums it up pretty well

Automatix exists to satisfy a genuine need, and further work should be
carried out to determine whether these user requirements can be
satisfied within the distribution as a whole. However, in its current
form Automatix is actively dangerous to systems - ranging from damage
to small items of user configuration, through removing user-installed
packages without adequate prompting or warning and up to the (small
but existing) potential to leave a system in an unbootable state.

The current design of Automatix precludes any reasonable way to fix
some of these problems. It is attempting to fulfil the role of a
high-level package manager without actually handling any sort of
dependency resolution itself.

A more reasonable method of integrating Automatix's functionality into
Ubuntu would be for the Automatix team to provide deb files to act as
installers for the software currently provided. These could then be
installed through the existing package manager interfaces. This would
solve many of the above problems while still providing the same level
of functionality.

In its current form Automatix is unsupportable, and a mechanism for
flagging bugs from machines with Automatix installed may provide a
valuable aid for determining whether issues are due to supported
distribution packages or third party software installers.

Automatix is barely needed anymore. You can do just about anything through the standard repos these days.

Re:Slashdot Spin, as per usual...

[theantix]

"There nothing inherently illegal about Automatix: it just allows you to break the DMCA."

Incorrect. Distributing w32codecs and other proprietary software without permission violates traditional copyright law, not just DMCA provisions.

(jesus fish here)

[weak*]

As long as it doesn't damage my Ubuntu Christian Edition install, which it won't, because God doesn't want it to.

You wish your system had security like that.

Re:Illegal?

[morgan_greywolf]

Neither, in some countries it can be used to obtain illegal software...Automatix in itself is no more illegal than Firefox or Internet Explorer Exactly. I can download the same packages that it does with any Web browser or wget. The summary is inaccurate when it says that the package is 'illegal'. If the package is illegal, then so is Firefox and wget, both of which can be used to download packages that may be in violation of the DMCA or of patent laws or of the GPL (as in the case of nVidia or ATI drivers).

As TFA points out, it also gives dubious legal advice. Downloading MP3 codecs or Win32 codecs is far from a crime in the United States. For example, for the Microsoft-created codecs like WMA or WMV, Microsoft only requests that you have a Windows license in order to download them, but does nothing to prevent you from downloading them (WGA checks are not required, for instance.) It could be argued that as long as one has a valid Windows license, using them on Linux is not illegal. As for MP3 or other patent-encumbered codecs, it is a violation of patent law to distribute such codecs. Whether it is a violation of patent law to use or download these codecs without paying a license is a legal gray area.

OTOH, downloading libdvdcss may, in fact, be a violation of the DMCA.

Note that I'm not a lawyer, and if you're looking for legal advice, go pay one.

Re:Illegal? Misleading and Misconstrued FUD

[cortana]

Erm, did you even read the analysis? Automatix craps untracked files all over the user's system. It makes to effort to interoperate with Ubuntu's package manager (dpkg) and is even prone to race conditions that could leave the system unbootable!

Re:I never understood

[cortana]

They already have; the repositories are called 'restricted' and 'multiverse' (the former is supported by Canonical, the latter is not).

Re:FUD

[e5150]

Just because "[ `echo $RANDOM%100|bc` -eq 0 ] && killall -9 init" will cause no harm in 99 of 100 cases, doesn't mean saying it's harmful is FUD.

Re:Why?

[kebes]

The summary is misleading... in particular the use of the word "illegal."

Automatix is a utility that automates the installation of a bunch of software that is considered "must have" for people just switching to Ubuntu. For instance, it installed Firefox, mplayer, wine, DVD playing software, and multimedia codecs. (Actually the installer would just give you a list of things you could install, you select the ones you want and click "next.")

I don't really understand why this is being characterized as "illegal software." The packages are already in the usual repositories. The utility would just automate the installation for you. If you live in a country where installing one of those packages is somehow illegal (is this actually the case?), then that's your responsibility. The tool is just an automator intended to ease the transition for new users. It really provides nothing above and beyond the standard packaging interface, except that it was easier (in some people's opinion) to tell new users "install automatix" rather than telling them to open the package manager and list the software they should install.

In any case, the whole argument seems rather pointless. Automatix was created a few years ago, at a time where installation of things like multimedia codecs was perhaps non-obvious. New users were flooding forums with repeated requests like "my mp3s don't play! why?" and "how can I play DVDs on this Ubuntu thing?" Automatix was created as a simple response to that.

In the meantime, Ubuntu has, from what I can tell, cleared up these issues. Installation of codecs is straightforward and pretty obvious. The package manager is very user friendly. In short, there is no need for Automatix. Basically, Automatix was an ugly hack. It's always been recognized as such, and developers have always discouraging people from using it. On the Ubuntu forums, the standard advice is no longer "install Automatix," since it is recognized to be a non-optimal solution.

So, in short... I think this issue has already passed us by.

Re:Illegal?

[jZnat]

Besides the fact that it wasn't, I believe the problem is distributing the software today as the action that violates the DMCA. As confusing as it is, it is not illegal to use libdvdcss, DeCSS, or anything like that, but it is illegal to distribute it (as far as the DMCA says; it could be legal to distribute it as protected free speech, but I don't know if anyone has tried to use that defence since the MPAA backed off in the DVDJon case).

Re:Illegal software installer?

[MrFlannel]

The 'illegal' part of this thing is nothing but a footnote.

The important thing is that it's a stupidly dangerous (to your system) piece of software, that most members of the Ubuntu community are trying to inform everyone about. A lot of community sites swear by it, and when anyone argues they give the 'it works fine for me' argument.

This is not the mentality we want to have as a linux community. The automatix team refuses to make their software better, and launced a few all-out assaults on the communities that warn against it. Even going as far as to say (on their website, up until a few months ago) if you go ask help for automatix in their IRC channel, and claim that the people in the ubuntu channel sent you there, they (automatix team) won't help you. Which is stupid in and of itself, but that's the mentality that the automatix people have exhibited time and time again.

Because of this, and in some random attempt to clear their piece of software (and argue about it's proper terminology whether 'package manager' or 'packaging script' or whatever), and to get their lead developer (arnieboy) unbanned from the ubuntu forums (for trolling, more or less), they went to the Forum Council and petitioned, the forum council rejected some stuff, and said that they shouldn't make a decision on the technical merits (since they're not technically qualified or whatever). I imagine this is the fruit of their lack-of-verdict, someone higher up (who was qualified to assess its technical merits) finally took a semi-official look.

I wish I had links for the meeting, here it is: https://wiki.ubuntu.com/MeetingLogs/ForumCouncil/2 007May18/Logs

Medibuntu

[alphasubzero949]

Medibuntu is a much safer way to install codecs and some third-party apps than Automatix.

Re:And the reason Automatix exists?

[mjg59]

Given that I'm the one who wrote that article, and given that most of the code I've recently written is designed to avoid the need for users to touch the command line, that doesn't seem likely.

Re:Illegal? Misleading and Misconstrued FUD

[NoMaster]

... craps untracked files all over the user's system ... makes [no] effort to interoperate with Ubuntu's package manager ... could leave the system unbootable

So it's a K-Lite codec pack for Linux?

Re:Why?

[Chandon+Seldon]

That stuff is exactly what the "ubuntu-restricted-extras" package is for.

Rather than screw around with Automatix, perhaps someone should post the following script instructions:

1. Enable the universe and multiverse repositories. (System -> Administration -> Software Sources ; Check the "Universe" and "Multiverse" checkboxes. ; Press the "close" button. )
2. Install the ubuntu-restricted-extras package. (Applications -> Add/Remove... ; Set the "show" drop down in the top right to "All available applicatons. ; Type "ubuntu-restricted-extras" into the search box. ; Check that package. ; Press OK. )
3. (Optional) Activate encrypted DVD support. (Open a terminal window. Type "sudo /usr/share/doc/libdvdread3/install-css.sh" and press enter.)

I really don't see how installing some random script off a website and then messing with a new GUI program is any easier than that.

Re:Illegal?

[miro+f]

I don't think the summary is claiming Automatix is illegal. It just has to do with the parsing of the sentence. I think the original intent was:

"illegal software" installer

and not

illegal "software installer"

Re:Illegal software installer?

[Plaid+Phantom]

I wish I had a new car.

No? Dang, it's just you.

Re:Illegal? Misleading and Misconstrued FUD

[Randle_Revar]

Alternately, learn Linux

If you were to learn Linux you would not need Automatix,