I need Synology Drive Client app for Fedora but Synology do not support Fedora - only Debian based distros. There is an unofficial build of the cient for Fedora on Copr. I am very wary of adding third party repositories. I won’t even download binaries from Github repository releases as I know there is no guarantee those binaries were built from that source. (which in my opinion makes Github useless unless you are happy compiling everything yourself).
Copr is free software with its code publicly available for review by anyone. Internally, it uses the standard Fedora packaging toolset, and resulting repositories are signed. All Copr servers are deployed within Fedora infrastructure, and we work closely with the Fedora Infrastructure team.
Can we trust the software available in Copr?
Only people with FAS accounts are allowed to create projects and build packages in Copr. That means that you can find out more information about each project owner and decide for yourself whether you find them trustworthy or not. You can also see how exactly each build was submitted, download its SRPM file, and validate the sources and spec file for yourself.
Yeh, the software on COPR does not go through the same checks as software in the main fedora repositories—there’s no review process in the same way.
So, unless you trust the person that’s providing the COPR, or do your own review, you can’t be sure. They’re just packages that pretty much anyone with a Fedora account can create.
Yes that’s not going to work for me. I only trust people on the internet I know in real life. Anyone else is just a name on a website which means nothing else to me. So therefore I am not going to trust Copr just based on that. It’s the same reason I don’t trust Github. A lot of people using Linux go on about how great open source software is because you can review the code yourself. However, myself and the vast majority of others I suspect don’t have the time or inclination to want to do that. So effectively open source software becomes no better than closed source software in my eyes.
I trust Synology because that’s who make the hardware so I use their software on Windows but I am not going to trust a third party version of that software unless it has some stringent review process which it seems it doesn’t have unfortunately.
This leaves me with a dilemma because I absolutely need Synology Drive Client. It hadn’t even occurred to me that it wouldn’t be available until today when I finally got round to wanting to set it up. I came to Fedora after not finding a Debian based distro that I liked but now I’m stuck between a rock and a hard place. Sadly I just keep finding reasons to return to Windows.
I find this perplexing. You’re looking for an rpm package for a proprietary piece of software but you want to be able to trust that its built entirely from a particular version of sourcecode?
Because the Synology Drive Client application is proprietary, and Synology hasn’t released the source code for that application, afaict. No matter where you find a binary package for it, you’ll be unable to verify that its built from any particular set of sources.
I’m having a hard tome squaring that circle. Your requirements seem to be in conflict.
You need a proprietary application that has no source code availability but you also want to verify its built from a particular source. That is literally an impossible set of requirements to fulfill. If you don’t have access to the source, you can’t be sure any particular binary is built from that source.
Once you have identified for yourself that you need a proprietary application, you have to be okay with really trusting the vendor… in this case Synology… because you’re unlikely to be able to verify where that binary comes from.
And even if you did have access to the source, unless you can verify that the build is repeatable, you have a very hard time proving that undocumented build system differences do not materially impact the resulting binary. So its not just the source code you need access to, but you also need access to the build system..and we have zero information on Synology’s build system and absolutely no way to try to reproduce the build and verify a reproducible binary even if we had the source.
This particular copr package uses the vendor released binary deb as its source, extracts the contents and places it into an rpm package. It probably does a semi-reasonable job, maybe close to optimal job at repackaging the binary for Fedora. It may be possible to make it a little better, in that it could do a checksum or signature check on the binary assuming Synology provides a signature or checksum file as part of its vendor releases. I don’t know I haven’t looked.
No, ideally i want Synology to provide a .rpm alongside their .deb version. I trust Synology as I’m using their hardware. As Synology don’t provide a rpm, the only other acceptable solution to me would have been another trusted repo that provides that deb from Synology as an rpm that works on Fedora. However, it would appear that Copr is not that and that it is not possible to be 100% confident that those binaries have not been taken from Synology and manipulated in any way.
I note there is also a Flatpak version of Synology Drive Client but that is going to be the same issue I assume.
I’m still having a problem understanding what you mean when you say trusted.
Regardless, you can always spin up your own copr repo, maintain your own variant of the same specfile if you want the assurity. You can even fork the github repo that feeds this copr into your own github repo as a source of truth for your copr repo. We’re basically talking about an rpm specfile, this one isn’t even that complex since its just rebundling existing vendor binaries.
When I read this the first thing I thought of was Sony and their Windows drivers for their own hardware. Personally I’d not put absolute trust in anything I didn’t write myself, but one has to draw the line somewhere, balancing a forensic examination against ease of use. I don’t check the Kernel source (often) but I use it all the time. On the other hand I couldcheck it if I so desired.
I have a Synology NAS myself, and I use it with Linux without any issues, and with no Synology (or any other) apps installed for it. I assume this Drive Client app is some kind of self-hosted dropbox/oneDrive/Gdrive application - is that correct? Perhaps we can find something which performs the same functionality and doesn’t require some specific proprietary binaries.
The developer has to write “Unofficial RPM” because Synology not has a RPM version.
1.1 This shows how much Sinology cares about their clients and about their freedom of choice.
The Developer is respecting the Copyright and mentioned it.
He asked for authorization to make an rpm package and makes it available for several Linux Versions and Users.
Since the package provided by FlatHub is not 100% functional and the method of converting deb to rpm by Alien requires a lot of manipulation. I (emixampp) decided to create myself a clean and 100% functional RPM package for Synology Drive Client.
Description
Unofficial RPM package of Synology Drive Client
Therefore, this RPM package is not verified by, affiliated with, or supported by Synology Inc.
Synology Drive Client is registered under the Copyright Synology Inc. Synology Inc..
In my opinion enough reasons to use the software and copr if I already would have such a device at home.
100% guarantee of security is not existing. For me it looks as a fair alternative on what Sinology is not offering. If there will be some problems I do believe that enough persons keep an eye on it and would report them.
p.s.
Almost forgotten, if you like the software and it is useful to you, consider to support the developer!
One of the things I do if software is only available for $insert_distro_here when I am on $other_distro is to spin up a Distrobox and install the software in its native distribution. I think that would work for you here.
For example, you could set up a Debian-based distrobox pretty easily on Fedora (distrobox create -i debian:trixie -n synology) and then install the client in that. (This is probably also doable in Toolbx.) No need to go back to Windows or worry about whether a specific Copr repo is trustworthy or not.
And drop a line to Synology to tell them, “Hey, you do have users on Fedora, you know…”