Yt-dlp questions in relation to documentation and Whonix 18

Hello,

I am new to Whonix-Virtualbox 18 from Whonix-Virtualbox 17, and I am trying to learn the new system.

One of my main use cases for Whonix-Virtualbox is to watch and download youtube videos privately. The documentation at http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Yt-dlp recommends the following procedure.

sudo apt -t trixie-backports install yt-dlp

Instead of doing that, in Whonix-Virtualbox 17 I used python3-pip. This was because even the backport could take a few days to update, and YouTube could break things quickly due to their changes. Pip allowed me to get a more up-to-date version quicker. But in Whonix-Virtualbox 18, I am open to trying the trixie-backports method again.

But I am a little confused on how I should proceed from here, since the documentation does not address recent changes to yt-dlp. Now, in order to use this program with youtube, “you’ll need an external JS engine such as NodeJS for YouTube” - Debian -- Details of package yt-dlp in trixie-backports . This brings up several questions. First, is it safe to do this, or will the javascript challenges fingerprint me somehow?

Second, yt-dlp recommends that I use deno for the challenges ( EJS · yt-dlp/yt-dlp Wiki · GitHub ). But deno is not available from the debian trixie repository. Should I try using nodejs instead, or should I follow the method at Installation instead to download deno?

https://docs.deno.com/runtime/getting_started/installation/

Third, I am looking at Debian -- Details of package yt-dlp in trixie-backports , and I do not see any mention of yt-dlp-ejs being bundled in with the debian backport for yt-dlp. How do I see if it has been bundled in or not? By contrast, pip bundles yt-dlp-ejs in through the package yt-dlp[default].

Fourth, if I use pip, against the advice of http://www.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion/wiki/Install_Software#Best_Practices, should I install and upgrade packages from the sysmaint session or the user session?

Fifth, I notice that systemcheck flags python3-pip as an unwanted package. But systemcheck does not flag pipx as an unwanted package. Is there a reason for this?

Valid questions. Something that started simple and was easy to document, use just turned into something seemingly very complex and time consuming.

Therefore this can longer be supported. Hence, unsupported.

Wiki page updated to add this notice just now.

Related search terms:

nodejs dependency risk

python pip dependency risk

pipx: I haven’t looked into it but if it if it internally uses or is similar to pip then it could have the same issues.

Would require research to answer that.

Since NodeJS runs locally, one of the worst risks coming to mind is:

Thank you for your help.

Yes, pipx is essentially pip, except it also automates the creation of python virtual environments.

The pipx project combines the functionality of both venv and pip. It may be necessary to install it first, either with a system package manager, or using pip, as detailed in the documentation.

From Installation - Streamlink 8.1.2 documentation

So it makes sense to list pipx as an undesired package.

yt-dlp recommends using deno instead of nodejs. According to EJS · yt-dlp/yt-dlp Wiki · GitHub

Code is run with restricted permissions (e.g, no file system or network access)

According to https://deno.com/

Deno is the open-source JavaScript runtime for the modern web.

A program run with Deno has no file, network, or environment access unless explicitly enabled.

So it is sandboxed, at least. I would guess that this would make it harder to fingerprint a VM.

However, debian does not package deno. Therefore if you want to use it, you have to install it via the instructions at Installation instead.

curl -fsSL https://deno.land/install.sh | sh

FWIW, it’s not necessary to install Deno all the way into the system to use it. One can simply download the zipped binary, extract it, and point yt-dlp to it.