Ever wonder why we should use the software directly from the developer’s official distribution channel when it's possible? Maybe, we should learn from an example in the recent Snap store incidents:
- A fake Exodus wallet app had entered the store and scammed 9 BTC (worth around $490K at the time) from an investor. And another incident happened again shortly after the first incident. It's a mess nonetheless.
- As we can see, the sandboxing security of Snap didn’t help. This is why we should only use the official apps when it’s possible, as this could’ve happened to any store, Flathub, Play Store, App Store, etc. In fact, it already happened on App Store [1], [2] and Microsoft Store [3] recently.
The level of trust
App Developer
Sure, if we can’t trust developers, we shouldn’t use their apps at all. But if we decide to use their apps, it means we must only download the apps from them, unless we prefer to get ourselves scammed. Therefore, this should be our 101 security practice.
This is not only for our security concerns, but using the official build will also make the debugging a lot less painful for the upstream developers.
System
We can’t possibly use everything directly from the original developers, e.g. apps, packages, drivers, or even the Linux kernel, etc. It’s undeniably that choosing Linux distro wisely is a very important part of our threat model. Therefore, your distro’s main/default repos, excluding the community maintained repos like AUR or home projects on OBS for example, are probably safe enough to use. At the very least, they shouldn’t introduce more risk, since you already trusted the kernel from them.
Third-party / unverified / community maintained
Unless we have no other choice, this channel should be avoided at all cost.
The good thing about mpv over other video players is that it plays HDR videos nicely on my SDR monitors and projectors. Without further ado, let’s see how to install mpv, my favorite video player, using the official build (Arch package) on any Linux distro.
Distrobox
Yes, we can install mpv for Arch (official package) on any Linux distro using a rootless Distrobox container. We’ll install mpv in Arch container using the official Arch Docker image.
I will use command lines in this walkthrough. You can use BoxBuddy if you prefer the GUI for the container’s creation process. But that’s about it. The app is pretty much bare bone currently. In the end, you’ll have to use the command lines to set up everything inside the container. Therefore, have your terminal ready!
Note, I use openSUSE Tumbleweed. Therefore, I will use
zyppercommand in this walkthrough. Please change the command according to your distro's package manager.
👉️ Table of contents:
- Preparing the Container
- Install
mpv - Enable Video Hardware Acceleration
- Exporting the App
- Automatically Update the App
1. Preparing the Container
1.1. Install Distrobox and Podman on the Host
sudo zypper install distrobox podman
1.2. Configure Distrobox to use Podman
echo 'container_manager="podman"' > ~/.config/distrobox/distrobox.conf
You can see more of the config options on the official repo.
1.3. Create a New Distrobox Container for mpv
distrobox create -i docker.io/library/archlinux:latest -n mpv-dbx -H ~/distrobox/mpv-dbx --additional-packages "adwaita-cursors"
distrobox createis used to create a Distrobox container. See the docs for all the usages.
1.4. Prepare the Packages Inside the Container
Update All the Packages
sudo pacman -Syu
When it asks which DBus you want to use, I recommend dbus-broker over dbus-daemon, as it’s the new default DBus on Arch now.
Install GPU Video Acceleration Driver for Your GPU
For example, VA-API drivers for Intel GPUs
sudo pacman -S intel-media-driver libva-utils
2. Install mpv
sudo pacman -S mpv
It will ask which jack you want to use, between jack and pipewire-jack. You can choose pipewire-jack.
3. Enable Video Hardware Acceleration
Creating a config file at ~/.config/mpv/mpv.conf (in the container), as shown below:
# enable video hardware acceleration
hwdec=auto
# optional options
vo=gpu-next
tone-mapping=reinhard
ao=pipewire
sub-back-color=0.0/0.0/0.0/0.75
sub-auto=fuzzy
I put
vo=gpu-nextoption to use the new GPU backend, which is supposed to be a lot faster than the current default.I put
tone-mapping=reinhardto enable tone mapping from HDR to SDR on my SDR projector. There are many tone mappings available, but I like this one the most.I put
ao=pipewireoption to use PipeWire audio driver.I put
sub-back-color=0.0/0.0/0.0/0.75option to make some subtitles easier to see.I put
sub-auto=fuzzyoption to makempvscan for separated subtitle files, even if they don't have exactly the same filenames as the video file. You can try to enable this option ifmpvcan't find your subtitles.
You can see all the available config options from the official mpv manual.
4. Exporting the App
distrobox-export -a mpv
By exporting the app, it can be set as your default video player. You can also open any video with the app. No one would notice that it's installed in the container. This is the system integration power of Distrobox!
5. Automatically Update the App
We can use systemd's service and timer to update/upgrade all Distrobox's containers like this:
dbx-upgrade.service
[Unit]
Description=Upgrade all rootless Distrobox containers.
RequiresMountsFor=/run/user/1000/containers
[Service]
Type=exec
ExecStart=-bash -c "distrobox-upgrade --all"
Restart=on-failure
RestartSec=60
TimeoutStopSec=5min
RemainAfterExit=yes
Save this file as ~/.config/systemd/user/dbx-upgrade.service.
dbx-upgrade.timer
[Unit]
Description=Run distrobox-upgrade --all daily.
[Timer]
OnCalendar=daily
RandomizedDelaySec=5min
Persistent=true
[Install]
WantedBy=timers.target
Save this file as ~/.config/systemd/user/dbx-upgrade.timer.
Enable the Timer
systemctl --user daemon-reload && systemctl --user enable dbx-upgrade.timer
Cover Photo by Denisse Leon on Unsplash
Top comments (1)
Thanks for the article. Really helpful.
Cheers.