Markus Robert Kessler wrote:
> Am Wed, 08 May 2019 17:27:45 -0400 schrieb Jonathan N. Little:
>
>> Markus Robert Kessler wrote:
>>> Dear all,
>>>
>>> during the last days I tried to install a Printer / Fax from HP
>>> (M127fn) on several different platforms.
>>>
>>> On every OS it seems the same: You can only get these printers to work
>>> when installing a mandatory proprietary "plugin". This plugin
>>> originally comes from HP and you will never see the sources. It's just
>>> a binary "run" file which you may trust and invoke, or not.
>>>
>>> As if this was not bad enough, the run file seems to have moved to a
>>> different location some days ago, and, hence, on e.g. Mageia 6
>>> installation failed completely, and on Raspbian Stretch I had to do an
>>> "apt-get update" prior to being able to proceed.
>>>
>>> But even after that I got complaints about not fitting pgp checks and
>>> had to continue even though the plugin potentially was manipulated.
>>>
>>> So, at least, this has nothing to do with OpenSource philosophy.
>>>
>>> I am wondering why so many people running Linux for higher security,
>>> are nevertheless agreeing on having non-OpenSource components like this
>>> on their machines.
>>>
>>> - Has anyone found out, what this "plugin" exactly does? And, to which
>>> locations the installer ("run file") writes or modifies files?
>>>
>>> - Are there alternatives as true Open Source drivers?
>>> I know that high end laser printers can be accessed via PCL or PS
>>> protocol, but not so with HP Fax Lasers.
>>>
>>> Any ideas highly appreciated!
>>>
>>> Best regards,
>>
>> They are a compressed archives and inside is associated PPDs and some
>> shared object libraries. The plugin adds support for "Windows" printers
>> and other functions like fax and scanner on MFP. If you buy some
>> spankin' new model from the store the in repo version of hplip may not
>> support that model, but grabbing the latest from
>>
>> 
>>
>> will get you up and running.
>
> Hi,
>
> I try to figure out how to trace what such a "run file" is doing exactly.
>
> At least this one has to be run as root (and terminates if not). So,
> spying on it is not so easy. Especially if such closed-source binaries
> are using "stealth" techniques or try to manipulate the tracing process
> itself.
>
> Well, one could use a fresh install, as slim as possible, do an md5sum
> for every file on disk, before and after installaion. And then compare
> the md5 lists. Alas, that would mean that you also find tons of files
> that are changed or newly created by the OS anyway.
>
> Same, when using a (VirtualBox) VM.
>
> Any better way?
>
> Thanks,
> best regards,

When you run the runfile for example:

sh ./hplip-3.19.3.run

it unpacks source files to directory

./hplip-3.19.3

Then it installs any missing packages, python, buildtools, and other
dependencies, and installs the driver and toolbox utility on your
system. The installer does not remove this build directory. You are
welcome to peruse through it and discover there is nothing nefarious
going on. If HP wanted to be evil they would erase the evidence, no?

--
Take care,

Jonathan
-------------------
LITTLE WORKS STUDIO
http://www.LittleWorksStudio.com

--- SoupGate-Win32 v1.05