void-packages icon indicating copy to clipboard operation
void-packages copied to clipboard
verified publisher icon void-linux

youtube-dl->yt-dlp, edx-dl, python3-pafy: remove

Open menaechmi opened this issue 6 months ago • 6 comments

In short: orphaned, not likely to get a new release, security vulnerablilty. Use yt-dlp or nightly youtube-dl releases from github.

Edit: After reviewing qytdl, which depends on youtube-dl, but is patched to force the use of yt-dlp, it makes the most sense to turn youtube-dl into a dummy package. But edx-dl remains unusable and not likely to be updated, and python3-pafyno longer meets Void Package Requirements (not required to be system-wide, not compiled, and previously was required by mps-youtube which became yewtube which now uses yt-dlp - so not required by anything).

Testing the changes

  • I tested the changes in this PR: Briefly

menaechmi avatar Jun 10 '25 17:06 menaechmi

The RFC was closed as the discussion should take place here (totally fair). So here's the quick summary of the RFC:

  1. Upstream has moved to nightly releases (under youtube-dl-nightly, and not to continue making releases under youtube-dl,
  2. The package has a security vulnerability in versions prior to 2024-07-03 (which includes the current version): https://github.com/dirkf/youtube-dl/security/advisories/GHSA-22fp-mf44-f2mq
  3. It does not currently work on youtube, but does work for other sites.
  4. There is a drop-in replacement yt-dlp. It has a void package and is regularly updated and maintained.
  5. Popcorn says usage is 18/115 (~15.6%). (54 are using yt-dlp).
  6. Other distros have dropped it (Alpine, Arch, Brew, FreeBSD, Gentoo), or make the release install yt-dlp instead (Ubuntu, Debian)

Additionally, on review, it doesn't meet the [Void Linux Package Requirements](Software need to be used in version announced by authors as ready to use by the general public - usually called releases.) as 1) There is no need for it to be installed system-wide 2) Not compiled 3) It is currently required by some packages (I will update the PR to remove them too if consensus is to remove):

  1. qytdl (a front-end for this package)
  2. persepolis (which has changed to yt-dlp, just isn't updated in Void)
  3. python3-pafy (a python wrapper for this python script?)
  4. edx-dl (an edx.org downloader that seems unmaintained).

Alternative actions:

  1. Move the package to youtube-dl-nightly or similar (would need a willing maintainer).
  2. Turn youtube-dl into a meta/dummy package for yt-dlp instead.

menaechmi avatar Jun 10 '25 20:06 menaechmi

Only downside is if someone is using aliases with youtube-dl they might stop working/work unexpectedly. There is a --compat-options flag in yt-dlp which Gentoo uses to mitigate this.

icp1994 avatar Jun 12 '25 07:06 icp1994

agree, it would be good to have the transitional package be a small wrapper script

classabbyamp avatar Jun 13 '25 01:06 classabbyamp

split into commit per package, added a wrapper script

classabbyamp avatar Jun 13 '25 15:06 classabbyamp

I don't think that's necessary

classabbyamp avatar Jun 13 '25 16:06 classabbyamp

Then I think it looks good. There hasn't been anyone to veto removal or a transitional package, so I'll remove it from draft status. Thank you @classabbyamp

menaechmi avatar Jun 13 '25 16:06 menaechmi

One could also upgrade yt-dlp to 2025.06.09 while at it..

biopsin avatar Jun 24 '25 12:06 biopsin

?? https://github.com/void-linux/void-packages/commit/90a30170022a0aa7604a255f846a82c27d09fccf

classabbyamp avatar Jun 24 '25 14:06 classabbyamp

Resolved merge conflicts, and xlint has been updated to now have metapackge= so the lint check should pass.

menaechmi avatar Jun 30 '25 18:06 menaechmi