Anki on Linux - An extremely simple way to make it more accessible, secure, and future-proof

Hi. I know that this post is long, but I poured my heart into it. I hope that you really do read every post as the pinned post says.

Now onto the issue: getting Anki on Linux is not as accessible as it can be, when compared to Windows and Mac’s simple GUI installers.

For one, not a single Linux distribution offers the latest version of Anki in their repositories, not even Arch, which is renowned for having the latest version of packages.

Anki’s solution to this issue thus far has been to offer an official .tar.bz2.

That presents many problems, a few of which are:

  1. it requires fiddling with the command line, a certain know-how that can leave newbies confused and make them give up in exasperation if any, say, dependency issues arise
  2. it’s a messy way to install and upgrade software
  3. it’s not as secure as it could be

So I am here to present the solution to all these problems: Flathub.

Now, I noticed that this idea was already suggested here (which I can’t link because of the two-link limit imposed on new users).

But I assume that as busy as you are, you immediately dismissed it out of hand because your first reaction was “Flat-uh-what? What is that? No thanks.”

So I’m here to try to attempt a more convincing argument.

Flathub is an app store. It is probably the most popular Linux app store, and it works on every distro (the ‘backend’ technology being Flatpak). You release once on Flathub, and you instantly reach every Linux distro.

Now I know what you’re thinking: Aren’t there like a dozen competitors (AppImage, Snap, etc.) that all claim to do this for Linux? Why pick Flathub/Flatpak over any of them?

The difference is that Flathub/Flatpak is made by the same developers that work on Freedesktop, GNOME, Wayland, Red Hat, Fedora, and so on. They have a solid history of developing standards that end up being widely adopted and ‘winning’ over the competing standards (Wayland beating Mir, GNOME beating Unity, etc.)

Basically, Flathub/Flatpak is here to stay, and so there is no reason to worry that it is just another flavor-of-the-month that will be abandoned and leave you lamenting wasting your time on a dead platform.

Some examples of popular devs utilizing Flathub officially are Citra, LibreOffice, Mozilla Firefox, and many, many, more.

Many devs have chosen Flathub as their Linux platform of choice because it is the most popular, convenient, and best.

To get to the point, releasing on Flathub would allow:

  • the latest version of Anki to instantly reach basically every Linux distro with one single package, no distro-specific tweaks required
  • you to just as easily push updates to Anki Flathub users
  • newcoming Anki users on Linux to install Anki with a single click, zero knowledge of the command-line or how dependencies required
  • newcoming Anki users to keep their Anki updated automatically
  • Anki to take advantage of security/sandboxing measures built-into Flatpak

Basically, it’s a huge benefit in every way with no downsides that I am aware of.

The good news doesn’t stop there. Anki is already on Flathub! (Anki’s Flathub page: Flathub—An app store and build service for Linux)

So most of the work is really already done, I think…I apologize if otherwise.

The teeny-tiny problem being that, as of this moment, it’s community-maintained and the maintainer is MIA, so it’s stuck at version 2.1.38.

But you being the dev, all you would have to do is request control, which is simple: App Submission · flathub/flathub Wiki · GitHub

That wiki in general contains all the other necessary info on how to release/maintain an app on Flathub.

Flathub truly is the best, easiest, simplest way to release on Linux and instantly reach every Linux user. I sincerely hope that you consider it.

I swear that I’m not a Flathub/Flatpak employee or anything. Just a Linux user who wants to help Anki become more accessible and successful.

I hope that I convinced you. Thank you for reading!!

I am not against your idea but separate from security arguments, these arguments are not very convincing.

It doesn’t require command line nor installing. It only requires clicking on Anki file:
/anki-2.1/bin/./Anki
And you can create an icon shortcut for it.

Here is the link to previous discussion:

Well, it’s a mess.

  1. 3rd party apps do not belong in the root folder. Here /
    They belong in /opt/

Wrong:
/anki-2.1/bin/./Anki

Correct:
/opt/anki/bin/./Anki

  1. In your README you request to run a script to install it:
- To install system wide, run 'sudo ./install.sh'

With that, there are two issues.
First, sudo doesn’t work on all distributions that way. They will require to use “su -” to become root.
Second, you are expecting the user to run some awkward shell script.
For security reasons the user will need to read and code audit it to make sure, that it doesn’t mess with the system.
The correct way to do it would be to provide a distribution specific package so that not an awkward script is in control, but the package manager.

Thus a deb package for all dpkg based distributions.
A rpm package for all rpm based distributions.
A Pacman package for all pacman based distributions.
A ebuild package for all portage based distributions
etc. i think you will get it.

  1. And when uninstalling, it gets worse:
- To remove in the future, run 'sudo ./uninstall.sh' from the same folder.

because you request the user to keep the unpacked *.tar.bz2 folder somewhere in his ~/Downloads/ folder so he can run your awkward uninstall script.
Here again using the package manager and providing the files in the right deb, rpm etc. package is the correct way and not such awkward *.tar.bz2 file which is undermining the package manager.

  1. If someone creates a package manager aware packet of anki and installs the files in the same folder as your install script. In this case, /usr/local/ . It get’s even worse.
    Because then your files will be overwritten or if it is done the other way, the files of the package gets overwritten and the package manager won’t notice it, because installing via awkward scripts is so a bad thing undermining the package manager.

If you want have it in a clean way, you will need to provide a distribution specific package for the distribution specific package manager so he can be aware of the process and in control of it.

  1. Your *.tar.bz2 file isn’t even cryptographically signed. The user can’t validate it.
    All the distribution based package managers provide a infrastructure for signing packages.

  2. Anki is using some sort of 3rd party addon infrastructure. Because it does that, security get’s very important.
    Thus your anki progam should be sandboxed by default. Which isn’t the case for your tar.bz2 file.
    By using a distribution specific package this could be done by providing an apparmor specific configuration file with the package and make the package depend on the packages for apparmor.
    Thus apparmor will be installed via the package manager if it isn’t and anki will use apparmor, when the users start anki.

Flatpak on the other hand, might not be distribution specific, but can also provide at least the security features which is still better than your awkwards tar.bz2 script with no security at all.

You have misunderstood. This is the path when you unpack tar.br2 locally
/home/username/anki-2.1.40-linux/bin/

You don’t need to install anything.

When downloading Anki you have disclaimer:

Notes

Some Linux distributions include Anki in their repositories. We’ve seen many users experience problems with these distributed versions, due to them being out of date or missing appropriate libraries. For this reason, the compiled package above is recommended over using the version of Anki bundled with your Linux distribution.

First, sudo doesn’t work on all distributions that way. They will require to use “su -” to become root.

Sorry to say that but this is a huge exaggeration.
If you use Linux you must read the basic information about your distribution. Sorry but if someone is too lazy or too dumb to know whether distribution uses su or sudo, Linux is not for this person. And Anki installation is not the first thing you are expected to do after you install Linux. I guess reading your distro wiki is the first thing user should do and learn how to operate it.

Second, you are expecting the user to run some awkward shell script.
Sorry but this is just a normal copy paste command. You should be grateful that it is given on download site.

For security reasons the user will need to read and code audit it to make sure, that it doesn’t mess with the system.

If you don’t trust don’t use it. Expecting Damien to provide all this Linux packages is a complete non-sense. He must stay focused on Anki not on packaging.

The correct way to do it would be to provide a distribution specific package so that not an awkward script is in control, but the package manager.

You must understand that Linux is not important here. It is not a priority. Anki is. It is a matter of where to put time and effort.

If you want to raise some security concerns make sure you focus on security and make your arguments valid. As a 10-year Linux user I can tell you that this attitude “I want this” “I want that” is not going to work if you don’t provide legitimate arguments and solutions.

It would be much better if you could provide some information how to make flatpak.

You should have at least point to flatpak site.

1 Like

I did not realize that Anki could be run from the folder without being installed. That makes it quite simple.

Nonetheless I still would love for Anki to be Flathub’d, for all the reasons that I listed in the main post!

Well, that’s why Flatpak is there for, but you said you don’t want to use it.
Thus distribution specific packages are the only viable and good solutions left.
Your choice.

That’s what i did.

The threadstarter can do this. I was requesting for distribution specific packages.
See my other thread about a debian specific package.

And insecure.
Keep in mind that you can use 3rd party addons for Anki and if you install it in your home folder without sandboxing it, the 3rd party tools can go havoc on your home directory.

The better solution would be distribution specific packages, but a Flatpak would be the second best option.

Would be great have an official support for Anki flatpak. Would be more accessible if you could install Anki from a Software Store like gnom-software, pop-shop etc … Flathub make that possible.

I didn’t say I don’t want to use it. I just don’t feel the need to use it.

I am not sure but most if not all Anki add-ons are open source and authors have github account. It gives some degree of sense of security.

I have nothing against Flatpak or any other solution. I advocate only for legitimate argumentation. Your wasn’t legitimate nor valid.

Second, you are expecting the user to run some awkward shell script.

If you find terminal command awkward you should address this point of view to Linux developers not to Anki developers.

Expecting developers to do all these different distribution specific packages is a non-sense. It will just not happen. And I prefer Anki developers to focus on Anki not on Linux. On Linux you can use Firejail.

Although I agree that Flatpak might be very convenient and security oriented solution for Linux users.

1 Like

And that’s a problem.

I just took a closer look in your tar.bz2 file.
All file permissions are wrong.
A library shouldn’t be executable. The x bit shouldn’t be set.
The same applies to html files.

But in your tar archive most of your data and library files have an x bit set:

-rwxr-xr-x 

correct would be

-rw-r--r--

You have even set the x bit for a simple Text file.

-rwxr-xr-x 1 XXXXXX  XXXXXX        48 Feb  7 04:39 buildinfo.txt

Only files like executables, bash scripts etc. should have the x bit set.

And that’s only what i can see on the top, i wonder what else is wrong from a security point of view under the hood.
Running your program in a sandbox seems to be definitely a must to protect the system.

Then you have data files like certificates in your bin folder.
If you have more then let’s say 7 libraries in your bin folder, they belong in a subdirectory folder called lib.
It’s bad practice to have them all in the same top folder as the executable.

I also counted 166 *.so library files. I highly doubt that Anki will all need them.

If you download them directly from the git source maybe, but not when you use the anki infrastructure to install addons.
Or does it have features like signature signed addons and reproducible builds?

Your opinion, not mine.

Linux developers don’t use shell scripts for pogram installations, they use packages and let the package manager do the job.
This has something to do with security.

Software is usually installed as root, that’s the reason why a installer shouldn’t be an executable, but a package that is installed by the system’s package manager.
That way, the systems package manager is in control with root permissions and not the package itself.

Using executables as installers or scripts to do the same thing is a Windows thing with all the known drawbacks. It’s bad design if you do the same on Linux.

Historically deb and rpm are the standard package formats to deploy software.
Today you can use flatpak of course.

Firejail isn’t a thing that runs out of the box. You need to configure it for your executable you want to run if it isn’t a flatpack which brings its sandbox by itself.

Yes, but Damien is not a Linux developer and Anki is not Linux app. It is a cross platform app. It is his good will that he provides Linux version.

I also counted 166 *.so library files. I highly doubt that Anki will all need them.

I guess it is for not installable version. Stand alone version might need them.

You had better provide detailed knowledge what can be done better and how, instead of calling something awkward. That will be a valuable contribution.

Again, complaining here that some Linux users don’t differentiate between su and sudo is not a valid argument. It is an absurd argument. And you may call it my subjective opinion but it is just not the right place to do so.

You should not complain to the car manufacturer that the driver doesn’t have driving license or doesn’t know how to operate manual gearbox. It would be absurd. It is my opinion but it is a valid opinion, in contrary to your opinion.

So, focus on providing detailed knowledge about what and how to improve.