Conversation

man this is crazy. such a valuable project, such a weird choice to write it in python instead of javascript

also weird to only support deno and not node

WARNING: [youtube] No supported JavaScript runtime could be found. Only deno is enabled by default; to use another runtime add --js-runtimes RUNTIME[:PATH] to your command/config. YouTube extraction without a JS runtime has been deprecated, and some formats may be missing. See https://github.com/yt-dlp/yt-dlp/wiki/EJS for details on installing one

4
0
0

@andrewrk is it because deno sandboxes the code by default and node lets anybody do anything they want with basically no way to restrict anything you're evaluating?

1
0
0
@whitequark @andrewrk yes. node is supported and you can use it if you really want to, but it's not secure to do so
1
0
1

@noisytoot @andrewrk as for why it's in python, i believe it's path dependence: as far as i know, when it was started, JS challenges weren't really a thing, and even when they were added you didn't need a full JS runtime for a pretty long time

by that point yt-dlp already had a massive userbase

1
0
1
@whitequark @andrewrk I'm not sure how being written in JS would help with JS challenges anyway. just eval-ing them would be a terrible idea even if it was written in JS
1
0
0

@noisytoot @andrewrk i don't see a problem with evaling them in an isolated v8::Context without any of the system APIs, the browser is doing the same thing after all

1
0
0
@whitequark @andrewrk is that much easier to do from JS than from another language?
1
0
0

@noisytoot @andrewrk only in the sense that if you need to carry around a full-featured language runtime you might as well use it for other things if it lets you do that. node doesn't for sticky architectural reasons i don't fully understand. deno does

1
0
0

@noisytoot @andrewrk personally i would compile a js engine to wasm and plug in wasmtime because it saves most of your userbase having to install node, deno, or whatever else (assuming you don't want to rewrite yt-dlp from scratch). but i'm weird

1
0
0

@whitequark @noisytoot

NOT WEIRD!! this is my ideal as an application developer (i.e. music player) trying to embed yt-dlp

1
0
0

@andrewrk @noisytoot i.e. you'd rather depend on a python application that pulls in wasmtime + some wasm blob than a python application that requires system deno/node/etc?

2
0
0

@whitequark @noisytoot

umm sorry I thought you meant the yt-dlp developers shipping a wasm blob rather than shipping something that requires access to python runtime, posix environment, and js runtime

but yes *my* goal is to reduce the difficulty of installation/maintenance of my application to the point that non technical users can do it. that means aggressive elimination of system dependencies, including stuff like dynamic glibc linking, dynamic zlib, etc

2
0
0

@whitequark @noisytoot

in order to make yt-dlp work without the user being in charge of installing it, it means my application has to provide the runtime environment for it.

this is why I put a static cpython inside my application binary so I could run yt-dlp releases without any system dependence whatsoever.

but that stopped working when they added a js runtime requirement. so now my music player has to ship js runtime *and* python runtime. sheesh!

0
0
0

@andrewrk i prefer deno over node for a tons of reasons and i am one of those who loved node since its inception. Python choice is probably because well, pip on windows, i will never understand why anybody would chose python at all for anything.

0
2
0

@andrewrk @noisytoot (wasmtime works under windows very well which is why i use it; so it'd be just python then)

1
0
0

@andrewrk @noisytoot this is how yowasp.org works and also the same principle is how i started using zig :)

0
0
0

@dch @whitequark @noisytoot

I mean yeah it's a basically pirate ship battle. Ahoy matey!! Fire the canons!

0
0
1

@andrewrk

As for only supporting deno by default...
It was some brain washing by deno investors or marketing department from what I understood.

They had an argument that it is for sandboxing, but it is a bullshit argument, as permissions system is not a sandboxing mechanism and is trivial to misuse.

And, they literally have v8 sandbox disabled in deno because deno developers are buffoons, same sandbox that AI tech bros disable in those claude mythos fake news and then find 67 vulnerabilities, and ofc deno doesn't have anything similar to chrome sandbox (i.e. no namespaces for isolation, no seccomp, etc).

That is not even talking about the fact that node has permission system now too, and unlike deno they don't lie about what it is for.

> The permission model implements a "seat belt" approach, which prevents trusted code from unintentionally changing files or using resources that access has not explicitly been granted to. It does not provide security guarantees in the presence of malicious code. Malicious code can bypass the permission model and execute arbitrary code without the restrictions imposed by the permission model.

And, they don't even need a full blown js runtime env anyways, just using a plain v8 would be objectively better for security and bundle size (v8 is approx 120mb smaller compared to deno).

But it is what it is.
To say, I'm not exactly happy about that fact.

I think something like this https://github.com/yt-dlp/yt-dlp/pull/15041
would be quite a bit smaller, and as it is being directly linked maybe would be easier to ship it as you want without shipping multiple binaries, though not sure if it even works at all.

Hopefully they will reconsider their deno choice in the future.

1
1
0

@andrewrk The project greatly predates when YT started cracking down on external downloaders w/ JS challenges. I suspect at some point yt-dlp will became a complete headless browser, with the CLI only maintained for the existing userbase.

0
0
0

@kanashimia

ideally for me a downstream consumer, they would ship a wasm blob that had extern function calls to networking primitives, transcoding, javascript engine, etc, and let the application satisfy those dependencies however it sees fit.

and then sure they can ship a python/deno frankenstein monster that satisfies those dependencies, which I could just completely ignore.

in other words the value provided by the project is the human labor of fighting google's constantly changing website

1
0
0

@kanashimia maybe I'll set this up as a proof of concept and see if I can nerd snipe anyone into maintaining it

0
0
0