I would like to install this old-fashioned game on my Fedora 38 with Gnome 44 laptop,
but I don’t know how safe the
Third party ‘rpm-sphere’ repository is.
In
https://www.linuxfordevices.com/tutorials/linux/top-terminal-based-games
I saw this suggestion:
wget https://github.com/rpmsphere/noarch/raw/master/r/rpmsphere-release-36-1.noarch.rpm
sudo rpm -i rpmsphere-release-36-1.noarch.rpm
sudo dnf install ninvaders
The third party repo you’re adding is meant for Fedora 36, so I’m not sure if it will work.
There is always some risk with third party repositories (out of date or unsafe packages), I can’t comment if this one is safe or not.
Have you tried shippy? It’s in the repo.
sudo dnf install shippyis it a space invader like game?
does it work on the terminal?
Yes it’s a Space Invaders game. Nope it doesn’t run in the terminal.
But you could compile Ninvaderes from the source and run it without installing to your system if you are worried about safty.
RPM Sphere has been around for a long time, but the way they do things doesn’t inspire trust IMO.
They distribute source RPMs (SRPMs) in binary form on GitHub, but do not share the spec files in text form like everyone else. This discourages others from checking the spec files, as you have to download and unpack the SRPMs first. Their git history is useless as a result; every commit looks like this.
There’s also no information on how packages are built, no traceable steps from spec file to SRPM to RPM. You just get a bunch of SRPMs, a bunch of RPMs, and a big question mark in between. With Fedora, RPM Fusion, or Copr, you can review every build log and trace it to the exact commit of the source repo.
If you want to use a package from there regardless, I suggest you only download and install the specific package, and not install the repo. Or better, download the SRPM, check the spec file, and rebuild it yourself.
In general, don’t use rpm -i to install. Just use dnf install as usual; you can give it a filename, or even a URL so you don’t have to download first. Using dnf will keep a record in your transaction history (dnf history).
Speaking of shippy, the current maintainer has written about it on this forum.
SDL1 has aalib support. Fedora uses sdl12-compat now which mimics the SDL api but calls SDL2. It doesn’t have support for aalib. Shippy 1984 uses SDL2 but could compile SDL1 until I just recently removed that option. Unfortunately that means you are out of luck playing it on the terminal. It’s possible but probably easier to just build ninvaders and it might play better as well since it was designed with the terminal in mind.
I decided to check out the ninvaders package from RPM Sphere.
Here’s the SRPM: source/ninvaders-0.1.2-1.src.rpm at master · rpmsphere/source · GitHub
Download and unpack it:
wget https://github.com/rpmsphere/source/raw/master/n/ninvaders-0.1.2-1.src.rpm
mkdir ninvaders
cd ninvaders
rpm2cpio ../ninvaders-0.1.2-1.src.rpm | cpio -imdv
Inside you’ll find a spec file, source tarball, and a patch file. Here’s part of the spec file:
Name: ninvaders
Version: 0.1.2
...
URL: http://ninvaders.sourceforge.net/
Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.bz2
It says the source is http://downloads.sourceforge.net/ninvaders/ninvaders-0.1.2.tar.bz2, which doesn’t exist. The latest version in the ninvaders SourceForge repo is 0.1.1 from 2003.
Fortunately, a search for ninvaders 0.1.2 turns up the site of the original author with a version 0.1.2 from 2022. On that site is an MD5 checksum, which matches the tarball in the SRPM.
$ md5sum ninvaders-0.1.2.tar.bz2
06001676a29efd0b7c538717f2c541f6 ninvaders-0.1.2.tar.bz2
So, the SRPM is ok, but it was not built with the Source0 automatically downloaded at build time (that is how the build systems used by Fedora, RPM Fusion, and Copr work). The 0.1.2 tarball was manually downloaded from the author’s site before building the SRPM.
If the spec file was shared openly in text form, this would be much easier to spot and correct.
Was the ninvaders-0.1.2 RPM built from this SRPM though? Probably, but we don’t know.
What version of Fedora was it built on? We don’t know. They don’t use the dist tag (e.g. fc38) like Fedora (they don’t have to, but it would be nice to have).
Since I’ve gotten this far, I decided to build ninvaders on Copr. I used the last version of the Fedora spec file from F31 (which the RPM Sphere spec file is also based on) and updated it to 0.1.2 with the correct URL.
Don’t take my word for it—you can review the source repo and the build logs before installing. Pagure even links the specific Copr build from a commit. Hopefully this demonstrates the benefits of using open systems over dumping binaries on GitHub 
By the way, there is a different 0.1.2 in the fork sf-refugees/ninvaders. This fork is used by the gentoo ninvaders package.
Other distro packages (Debian, Ubuntu, openSUSE, and the BSDs) seem to be using the original 0.1.1 with their own patches to fix building on modern systems.
I decided to try my debian VM. Looks like their SDL1 doesn’t have aalib support. Not that surprising since I doubt there is a lot of interest in using it. Looks like the copr ninvaders is better choice for your needs.
