Maybe consider getting rid of some external dependencies

[tulilirockz]

I don't want to be that security-focused weirdo person that thinks everything is a huuuuge booggie man and is gonna destroy the project, but I feel like as this project is getting more and more traction, we should consider reacessing which external dependencies are being added at least for the base Bluefin images (non -dx).

I'd consider an "external dependency" something that does not come from either the Fedora official repositories (rpm-fusion too), Homebrew packages, Flathub, or our own packages repository (or anything else on our org, like akmods, and others). Considering that, we currently have these external dependencies on base:

• https://copr.fedorainfracloud.org/coprs/sentry/switcheroo-control_discrete
• https://copr.fedorainfracloud.org/coprs/che/nerd-fonts
• https://github.com/starship/starship
• https://github.com/rcaloras/bash-preexec
• Mediatek firmware from https://gitlab.com/kernel-firmware/linux-firmware
• Charm Repo
• Tailscale Repo

On HWE:

• https://copr.fedorainfracloud.org/coprs/lukenukem/asus-linux
• https://github.com/linux-surface/linux-surface patches

On DX we have these:

• https://copr.fedorainfracloud.org/coprs/ganto/lxc4
• https://copr.fedorainfracloud.org/coprs/ganto/umoci
• https://copr.fedorainfracloud.org/coprs/karmab/kcli
• https://copr.fedorainfracloud.org/coprs/atim/ubuntu-fonts
• https://copr.fedorainfracloud.org/coprs/hikariknight/looking-glass-kvmfr
• https://copr.fedorainfracloud.org/coprs/gmaglione/podman-bootc
• https://github.com/kubernetes-sigs/kind
• https://github.com/githubnext/monaspace (not executable code so doesnt matter)

Other than these there are just things getting pulled from hwe and akmods, nothing really to worry about. But I'd just like to ask you guys if there would be anything that would be best to be moved to packages so that we could have more control over, or just straight up removed from the system

[tulilirockz]

I believe the HWE ones are gonna get removed at some point, arent they? - Otherwise honestly I think just stuff like the ubuntu-fonts copr is kind of redundant since we have them on-repo already

[tulilirockz]

I believe a improvement would be a way to know which coprs are being used for which packages on the packages.json. Currently I believe someone could for example make a custom package w/ the name of another one using an existing copr to inject other programs into the build for example. I know this is being paranoid but its still kinda concerning

[castrojo]

This has been on the todo for a while so might as well take care of it. The HWE ones go away, I'm fine with deps on the upstreams like k8s, tailscale, starship, etc. Bazitte uses Switcheroo and we work with sentry already, though it might make sense to move that one to ublue-os/packages since bazzite uses it. Hikari is on the ublue core team. The podman-bootc one is run by a redhat and fedora person, and likely has a path into Fedora anyway.

The Incus stuff either gets better in-distro or we may choose to use timothee's sysexts for that.

I feel like fonts should be a separate audit because that's a whole ball of stuff. I forgot what bash-preexec does, I think we use it with distrobox?

[befanyt]

I forgot what bash-preexec does

FWIW I recognize bash-preexec as option for bash when using atuin.
https://docs.atuin.sh/guide/installation/#installing-the-shell-plugin

[m2Giles]

Bash pre exec is for atuin.

[castrojo]

Ah! Ok so we had atuin on the image itself at one point, but now it's an opt in install via homebrew, which should pull in everything it needs. So maybe we don't need this on the image anymore?

[befanyt]

Not sure if this file is being used anymore, but it is pointing to that bash-preexec

bluefin/system_files/shared/usr/share/ublue-os/bluefin-cli/bling.sh

Line 23 in 93b4e99

. /usr/share/bash-prexec

Seems to be in use by ujust bluefin-cli via /usr/libexec/ublue-bling.sh

As far as I can tell, brew provides a atuin binary, not your bash setup.