I’m always in favour of Linux’ “central repo installation”, also for security reasons.
Now on my old Mint machine, I had to use the developer’s wild “sudo shell this and that” script, because there simply was no current version in the Debian or Mint repos.
With EOS, I was quite happy to see the (then) current version in extra/calibre and installed it. This is not placed into /opt as the orginal would be, but worked nicely. Except it hasn’t been updated for the latest 8.8 and 8.9 versions of Calibre, and I’m stuck with 8.7—Calibre development and releases are quite fast-paced.
delete installed Calibre (from extra) and install from AUR (which?)
delete installed Calibre and install to /opt using an insecure and unknown script from “somewhere on the internet” that the developer recommends. (And which I’ve used for years on Mint, after initially checking what the downloaded linux-installer.sh does.)
Simply wait until maybe extra/calibre gets updated (flagged as out-of-date already).
What would active Calibre users recommend, and what do our security experts here suggest?
I am continuing to use calibre from the repos. In general, it is good to avoid bundled dependencies because the majority of software developers don’t do a good job of keeping them updated.
Even if calibre development is moving quickly, everything I need is working fine for me right now.
That warning about distro packaging is simply the author not wanting to deal with support issues.
Agreed. There’s never been anything lacking in my use of calibre over many years. I update through the repository and “cancel” the annoying program-based update recommendations. Kovid Goyal has created such a gem … it’s worth letting him annoy me a little in exchange.
Meandering off topic with you… As noted above, it’s far more than that. Maintaining my ebook library for access across platforms is super handy. (I use “calibre companion” on Android - lets me sync up everything beautifully, since reading on a large tablet with a non-reflective screen cover is, for me, an ideal form factor.)
To see a direct pipe of wget to sh just raises some red flags for me. And the sudo just push it a little bit further.
I do not believe that calibre has something nefarious going on but onelines like this are just a bad practice.
The question is if the distribution may play a role in it. Some may have a very long update cycle. Perhaps someone was creating new bug tickets for a very old versions.
When I check the changelog I really do not see a need to update to the latest release. If I stick with extra/calibre I think that will be a good choice (it is also more likely that all related system libraries will be compatible with it as well).
It seems new version of Calibre has a dependency on a version of espeak-ng that hasn’t been released yet. A guy involved with enspeak-ng (it looks like he’s the primary contributor) has lost his job, so he’s been busy. He says that he hopes to get enspeak-ng ready by the end of September
See here:
To prevent Calibre from nagging about a new version:
