alvred Posted March 23 Share Posted March 23 Is there a way to get notified of workflow automatic updates, and to easily see the changes in a diff? I'm worried about enabling Full Disk Access for Alfred if a malicious actor could update a workflow at any time to start grabbing arbitrary local data from those that have installed it and enabled FDA. Link to comment
Vero Posted March 24 Share Posted March 24 @alvred If you have any concerns about the security of workflows, you can opt to use workflows from Alfred Gallery only: https://alfred.app These workflows are reviewed and assessed before being added to the Gallery; You'll find more details about this here: https://alfred.app/security-and-privacy/ When a workflow has an update available, you'll see an icon (arrow pointing up) letting you know that an update is available. For the majority of workflows, the code can be read openly, so if you use a diff tool like Kaleidoscope, you can take a look at the code changes between versions. Workflows that have compiled apps within them are identified as such in the Gallery. If you have a question about a specific workflow, don't hesitate to ask in the relevant forum thread and we'll help you understand what a workflow does Cheers, Vero Link to comment
alvred Posted March 24 Author Share Posted March 24 (edited) There are quite a few non-Gallery third-party workflows that are useful enough that not using them entirely is not an option for me. I found this page on updates in the docs but I'm having trouble understanding it At the top it says "Add self-updating capabilities to your workflow. It regularly (every day by default) fetches the latest releases from the specified GitHub repository and then asks the user if they want to update the workflow if a newer version is available." and later it says "Alfred-Workflow will automatically check in the background if a newer version of your workflow is available, but will not automatically inform the user nor download and install the update." This seems to imply that I can be sure that no workflows I add will ever update without my knowledge. However, under the "Usage" and "Under the Hood" sections it says "... or you could roll your own update handling using Workflow.update_available and Workflow.start_update() to check for and install newer versions respectively." and "Workflow.start_update() returns False if no update is available, or if one is, it will return True, then download the newer version and tell Alfred to install it in the background.", which seem to contradict the earlier statements. In this case what would I do to see if any scripts are auto-fetching/installing updates in the background? Would I just go through all the "Run Scripts" or "Script Filter" elements in a given workflow's graph and check if the code contains the "start_update()" function? Edited March 24 by alvred mistakenly cited unofficial docs page Link to comment
vitor Posted March 24 Share Posted March 24 16 minutes ago, alvred said: I found this page on updates in the docs That is not an official page. It is of a third-party library for Python workflows which is no longer under development (others have replaced it). Link to comment
Vero Posted March 24 Share Posted March 24 28 minutes ago, alvred said: There are quite a few non-Gallery third-party workflows that are useful enough that not using them entirely is not an option for me. @alvred This is why I suggested that you can ask about any workflow you're not certain about; Many workflows use simple objects, automation tasks (created by our team) and actions that are very transparent, so it's easy to see what they do in the canvas. If you have doubts about scripts in specific workflows, we (and the community) are always here to help demystify them. vitor 1 Link to comment
alvred Posted March 24 Author Share Posted March 24 Sorry about that! So following on @Vero's answer above, I'm assuming that non-Gallery workflows do not have the "update available" arrows? I noticed that when I double click on a workflow's name, some of them (both Gallery and non-Gallery) have "Bundle Id" specified, and it says "When importing a workflow, Alfred uses the Bundle Id to know which workflow to upgrade". Does this mean that for any workflows I don't fully trust, I can just make sure that field is empty to rest assured that it will never autoupdate? Link to comment
alvred Posted March 24 Author Share Posted March 24 3 minutes ago, Vero said: @alvred This is why I suggested that you can ask about any workflow you're not certain about; Many workflows use simple objects, automation tasks (created by our team) and actions that are very transparent, so it's easy to see what they do in the canvas. If you have doubts about scripts in specific workflows, we (and the community) are always here to help demystify them. It's not that I'm unsure about any workflows as is, I can usually figure that out from reading the script as you said. I just want to make sure that I am informed of any automatic updates to a workflow. Link to comment
andy4222 Posted March 30 Share Posted March 30 If you are really paranoid (not saying you are), another thing you can do is install LuLu (open source firewall) that can block outgoing network connections from any app. So any malicious script can't get data out of your machine. However, you'd lose out on the availability of updates to Alfred app and workflows (from Alfred gallery), so you'd have to do that manually by downloading app and workflow updates. It's usually not recommended unless you know what you are doing, because it can block some connections from apps by mistake and can take you sometime to figure out. Link to comment
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now