| ▲ | Wowfunhappy 12 hours ago | ||||||||||||||||||||||
> The JS script being downloaded is from the yt-dlp GitHub organization I meant the challenge that is the reason they need the Javascript in the first place. You can’t very well run yt-dlp without trusting yt-dlp code. | |||||||||||||||||||||||
| ▲ | embedding-shape 11 hours ago | parent [-] | ||||||||||||||||||||||
The original point was this: > > IMO it seems like it should safe to trust code being served by Google on the official Youtube domain Which came from a misunderstanding about where the downloadable solver script comes from, as it doesn't come from youtube.com, it comes from github.com (yt-dlp org), I was just correcting that misunderstanding. > You can’t very well run yt-dlp without trusting yt-dlp code. That makes a ton of sense and I agree! I'm not sure how that is related to anything though? I download yt-dlp from Arch repositories, so yes I'm trusting Arch maintainers and of course yt-dlp developers. Then I'm adding a manifest which controls what this application can actually access, which is basically a VM config, where I define that it can access youtube.com (and a bunch of other sites I mirror/archive). This is the part that shouldn't have github.com/* access. Again as mentioned, not a big issue, plenty of workarounds, so not the end of the world. | |||||||||||||||||||||||
| |||||||||||||||||||||||