Rachel Kroll
In short: I should have looked at my notes instead of relying purely on my memory of a random event from four years ago.
Right, so, the other day I wrote a post eviscerating the Philips (Signify) Hue situation, in which they are heading full steam into enshittification. I said that I didn't want to use Home Assistant becuase of Javascript and a "curl | sh" attitude.
Yeah, that's where I screwed up. That's not them. That's actually Homebridge, aka homebridge.io.
People have been commenting that HA is Python, not JS, or something like that. I had to go back to my notes from January 2019 to set this straight, and, well, they go like this:
I was trying to find a way to run some existing "real" security cameras without going full-on cloud mayhem. The users in question wanted to see it in the HomeKit ecosystem, so I went looking for solutions of that sort. The idea was to get this thing running, document the protocol, and then figure out if I could do it some other way.
So I end up on their wiki for installing this on a Raspberry Pi. At that point, I had one just sitting around collecting dust, and figured "what's the harm in trying". First thing up, they wanted me to "curl some-url | sudo bash".
Hell no, I'm not doing that. There are so many things wrong with that philosophy. The whole point of cutting actual releases is that you get people to cluster around a handful of known "artifacts" (you know, tarballs and the like), and then you can work up some kind of reputation based on that. If that actual release ends up in some distribution like Debian, you can be sure that exact version is being seen by a fair number of people.
curl | sh basically says "I don't give a damn" and "give me whatever you want" at the same time.
I figured I could at least grab the script, read it, and parse it myself, then run the commands by hand. This meant I had to add their apt repository. Ugh. First up? "apt-get install -y nodejs" ... oh boy.
But wait, no, then it went on from there.
I tried "npm install -g homebridge" but that wasn't happening. It wouldn't go until I added "--unsafe-perm". Oh, gee, that's not sketchy *at all*.
At this point I was glad this was all happening on what was effectively a throwaway machine. It did get installed, and started up, then displayed a QR code, and once past a few warnings, it did in fact show up in Homekit.
Of course, without plugins, it wouldn't do anything, so that meant going back for MORE node stuff. I found 72 pages of them on npmjs.com.
I picked something really stupid to export a temperature value as a test. I put a config stanza in config.json to try to activate it, and nope, it started dying. So I took the config-sample.json and copied that in its place, and that much worked, and told me what I needed to do: the blob of JSON crap from the plugin's page is supposed to be an entry in the accessories array of the config.json. That was not at all obvious.
I didn't want to do much more with this, and that's about where it ended.
So, yeah, bagging on Home Assistant for being JS and making you install it with sketchy curl pipelines? That was a mistake. I got it mixed up in my head with Homebridge based on something I did four years ago.
I loaded up the HA page on github, and oh hey, Python.
Mmm, yeah. Righto. Okay then.
How about them Knicks?