Comment by dspillett
7 hours ago
> What environment are you using that: - Has access to Youtube - Can run Python code - Can’t run JS code
They didn't say “can't run JS code”, but that from that location the solver could not be downloaded currently. It could be that it is an IPv6-only environment (IIRC youtube supports IPv6 but github does not), or just that all external sites must be assessed before whitelisted (I'm not sure why youtube would be but not github, but it is certainly possible).
It's just me being paranoid after seeing npm/pypi supply chain attacks, and since then I basically run most software touching the internet in a VM one way or another.
I think in this case, my own laziness is what makes it worse than it has to, currently I'm doing whitelisting by domains, so youtube.com for the yt-dlp runner is obviously OK, and I'd want to avoid whitelisting github.com for that, since it's just downloading one JS file.
For now manually copying the config file into my SCM or just whitelisting GitHub for initial download does the trick. I guess I just had to squeeze in one complaint in my previous comment so I could get the HN stamp of approval, can't be too positive.
You could serve the files yourself from a server populated by updating them from github after review. You'd need to either sign the domain with your own CA that the host running yt-dlp trusts, or patch yt-dlp to use a different server name, but neither of those steps should be too onerous.
It's not paranoid, it's more attack surfaces that don't need to be.
Happy to read and learn more about the setups you've found helpful to do this.
I've just hit the IPv6 problem. I routinely use yt-dlp -6 to cycle through my (basically infinite) set of IPv6 addresses. However when you do this, it tries the github EJS download over IPv6, which fails as github doesn't support IPv6 (because it's still the year 2000 over there).
Actually I think this is kind of a yt-dlp bug, since it doesn't need to use IPv6 for the github download.