zlacker

Can someone explain the Home Assistant anecdote regarding JS and curl | sudo sh? Does the author mean Home Assistant isn't secure? Or that there's some issue with the front end of it? Or something else?

Because imo... that is the answer. We have seen so many stupid closed ecosystems of home automation stuff come and go, I dunno why you'd mess with anything else at this point. In fact I just got another email reminder that Google is turning off the old Works with Nest stack. Remember Nest? Yeah...

>>jmuguy+(OP)
This right here is like a second-order or third-order effect of the layoffs last year. Tech companies are shuttering useful consumer products because their profit margins just aren't high enough for today's high interest environment

>>jmuguy+(OP)
I'm also curious about the Home Assistant anecdote. It seems like there might be some security or reliability concerns, but I'd like more information to understand the context better.

>>jmuguy+(OP)
The author is referring to the officially recommended way to install home-assistant on a Linux box, which is just curl-ing and running an install script as root.

I totally get how that's off-putting, but the real recommended way to run home assistant is to install Home Assistant OS on dedicated hardware. Which also can be off-putting.

Either way, it's my favourite software that I regularly interact with (unless you count Linux).

>>jmuguy+(OP)
"just give us root on your system" install scripts like that are a security thing, yes.

I think the issue is more the attitude towards security and system stability that is implied by such installation methods, which is apaprently endemic to the entire "JS ecosystem". That attitude being "who cares about security or stability?"

When It's my system and I don't want to mess with it, just set stuff up and have it run trouble free and do the things I want (and only I want), then I do care about such things and agree that JS has no place other than sacrificial toy boxes that get insulated from "real" computing like they was a modem with its phone number posted at the payphones by the 2600 meetup.

>>rpgwai+h1
This. This is what she meant. But the problem is, if you really like home automation and don't want to spend an arm and a leg buying just one spec, you'll have problems and will have to use multiple hubs.

>>rpgwai+h1
I just run it in a docker container along with zwave-js, which is also in a docker container.

>>jmuguy+(OP)
It's nonsense. This is not even how you install home assistant.

They provide a pretty locked down image that also loads a ton of plugins in dockers. It's nice and well designed. And you don't have to expose it to the internet if you don't have to.

The installation described is legacy and only supported for historical purposes.

I agree that Hue has totally gone down the toilet but the criticism of Home Assistant isn't justified. And if you go for the Ikea one as recommended in the article, it's just going to be a matter of time until their shareholders will want to see those sweet recurring bucks too. You need a truly open ecosystem to avoid that from happening.

>>rpgwai+h1
I don't think that's really fair - the recommended way to run Home Assistant is to run HA OS (on a VM or dedicated machine, like a Raspberry Pi), or to run it in a Docker container.

The "Supervised" installation (i.e. installing Home Assistant on top of an existing Linux install) is doable, but not preferred.

https://www.home-assistant.io/installation/

>>h2odra+U1
The idea is that you give it root on a VM or on a docker container.

You don't give it root on your desktop linux system you do all your sensitive stuff on of course. That makes zero sense. Home assistant really runs great even on a cheap raspberry pi if you don't have a VM- or dockerserver.

>>johnma+X4
Iirc they explicitly say don’t / recommend against it. I mean I still did but it definitely isn’t the way most people will install it at all

>>wkat42+f5
thus "sacrificial toy boxes"

also, your faith in "VM" insulation appaears greater than mine. if i dont trust a VM i dont trust the host running the VM.

others have different opinions and that's ok. my systems run to my standards, however quirky they may be. im stating opinion here, not attempting to inscribe Sysadmin Commandments. them's written on the wall of the bathroom stall.

edit: just for reference, the last cpu i could say i trusted was before speculative execution was a feature. since then its more about risk mitigation. i'm not paranoid, there's people worse than me, and they're nuts. I'm just cautious and lazy.

>>h2odra+X8
If you don’t trust your hypervisor, buy a pi or cheap nuc, but also your hypervisor being 0day’d is probably far less likely than one of the thousands of apps in $PATH being compromised or malicious.

>>wkat42+V4
Ikea is at least privately owned - Philips is not. One could hope that they stay the course.

>>rpgwai+h1
Meanwhile on Windows, everyone gives admin rights to random installers without batting an eye.

>>spyke1+ub
Yes but with open software and hardware you don't have to hope.

Companies are always going to want more and enshittification is pretty much inevitable.

The reason Ikea isn't in such a hurry because their Tradfri range is a very minor part of their business whereas for Signify (not Philips! They sold it years ago) Hue is their bread and butter product.

>>h2odra+X8
I understand not fully trusting docker, you have to trust several levels of kernel features and configuration, plus it shits all over your firewall like it owns the place.

Real virtualization is a bit more airtight, though. There have been some escape exploits but they all abused drivers that you wouldn't use heedless (shared folders, VGA, PCIe passthrough), not the virtualization layer. But that's a distinction without a different, really, so good on you for being careful!

>>h2odra+X8
Home assistant isn't malware, it's a major open source project that is well understood.

This isn't some binary you downloaded from a Russian forum. VM isolation is more than enough.

>>katbyt+n7
We tried, but the community wanted to keep the installation method, so we kept it around.

>>Beingl+81
It's confusing because the OP is referring to a pipe to bash method as if it's a recommended install method, which I can't seem to find anywhere on the HA installation page.

Yes there are security concerns with any home automation system, but if you run HA locally and only access it via a VPN like Tailscale you're probably safer than if you used any of the big name cloud first smart home providers. Even if you access it over the Nabu Casa site, because everything is ostensibly Local first your attack surface is always going to be quite minimal.

>>jmuguy+(OP)
Probably a misguided idea of security. There is nothing wrong with JS itself, in fact, as far as languages go, it is pretty secure due to the attention it gets by being what runs in web browsers.

As for "curl | sudo sh", yeah it looks scary, but it is not worse than downloading a .deb and then doing "sudo dpkg -i your.deb", or installing any downloaded binary on your machine for that matter. You may say something about signatures, but often, the public key you have to trust is on the same website you downloaded the .deb. In all these cases, TLS is the only thing protecting you. Going through a file you don't audit doesn't change anything, and in practice, almost no one does the audit, and few linux boxes have AV scanners.

Don't trust it? Run it a VM, container, or dedicated hardware, this is actually what they are suggesting.

>>wkat42+Ud
If it's so trustworthy, why do you even need a VM?

>>jmuguy+(OP)
Not OP, but the HA ownership experience is … rough at best. If what you want is something that Just Works, HA is not for you.

>>raman3+he
personally i did it because i like my servers to be debian & i wanted it to match all the other VMs i have running

so thanks for keeping it around :)

>>move-o+B2
My only issue with running HA with docker is when I restart the machine, the docker container starts before my ZigBee dongle shows up in /dev/, which means all ZigBee devices are not accessible until I restarted the container. I ended up patching the docker unit file to add 2 minutes delay, but the patch will be reverted next time docker updated. I wonder if there is a better way to fix this.

>>neuros+j82
Depending on your setup, you might be able to use docker-compose with depends on and a health check to start your containers in an order and to await the device availability.

>>wkat42+f5
The problem then becomes maintaining it - backing up the config, debugging errors, etc. I ran Home Assistant for a while with their docker method on an otherwise stable server. One day it just shit the bed out of the blue. I wasn't going to spend the time digging into its own bespoke Linux userland to figure out how to figure out what was wrong, and I wasn't going to pave over it and spend the time redoing my meager config. In my book, software that is going to be relied upon gets installed through a distro's package manager, and last time I checked Home Assistant's maintainers are actively opposed to that.

>>syndic+R
Current interest rates are moderate, and hopefully are the new normal if our society is to have any future. The past two decades have been extremely low rates. High is like 10-15%.

>>mindsl+Yu2
It’s high for any business that has been coasting through the cheap money era of the last 10 years

>>JohnFe+Yz1
Because it is a long running process, and it has plugins. Amd because both the container and the VM are premade, you don't even have to install, you just run them.

You can extend the container image with your own Dockerfile.