Repos: When All-in-One Can Be No Fun.

Repos: When All-in-one Can Be No Fun.

For better or worse, one of the most powerful features of Kodi is the ability to extend its capabilities via addons. Key components in this are the repositories, or “repos” as they’re more commonly known. They allow for quick and simple installation and upgrade of addons, but as with the whole topic they too have a darker and riskier side that many users do not consider. 

Before we go into details of those risks, let’s first set the background by considering what a repo actually is and what it enables. 

As most users know, there are two main ways of expanding Kodi’s functionality with addons – install from zip and install from repo. Install from zip does exactly what it says on the tin: it installs a given addon into Kodi using a zip file package that contains the addon code. That zip file may be either downloaded from the internet and transferred onto the device where Kodi is running, or it can be accessed directly over the internet via an added source (most commonly through the Kodi file manager). This route is mainly intended for addon development purposes, prior to release and inclusion in a repo.

There are two main issues with this approach. The first problem is that the installation is then static. If the addon is updated or modified, Kodi won’t know this and any updates will need to be manually installed by the user. The second issue, however, is the one most commonly encountered by users, in that any other addons or code that the original addon depends on (that it uses or references, and requires to be installed for it to run) will not be automatically installed. Thus, for the original addon to operate and not just generate log errors or crash, all of its dependencies, both the correct packages and the correct versions, need to be manually located and installed separately.

So, What’s a Better Way?

Using a repo can solve both of these issues. A Kodi repo contains links to the current (and, commonly, also older) versions of the addon plus any required dependencies. So it acts as a “one stop shop” to install the given addon, with the bonus that it can be done via the Kodi GUI using the Install from repo option. With the exception of the official Kodi repo (which comes built into the Kodi core code), the only install from zip that is required is the original one to install the repo itself.

The real power of the repo, though, is that when the addon author updates their addon and pushes that new version to the repo (whether the official one or their own third-party one which the user has installed), then Kodi will see that the update is available and can either offer the update or just update it automatically, depending on configuration. So, with minimal or even no user effort, addons can be quickly and easily maintained, and distributed, keeping all user devices up to date.

Sounds Great – What’s the Catch?

That update functionality is where the potential risks come into play, however, especially for the common third party “all-in-one” repos (containing addons from multiple authors) that can be obtained from various internet sites and sources. Currently, if a newer version (with a higher version number) of a given addon is pushed to an installed repo, then the addon can be updated regardless of which repo the addon originally came from. Hence, if a malicious programmer pushes a new version of an addon (which may or may not be their own) to an installed repo, then anyone who had the original version will get the poisoned version installed onto their device instead. This is a obviously a very undesirable outcome and would lead to widespread issues if a popular addon were to be subverted.

Another big issue with third-party repos is the fact the domain name might be abandoned and expire while users still have the repository installed. This could enable an attacker to later register that expired  domain, effectively taking it over. They could then replace the existing addon content with malicious code. This exact scenario is a significant enough risk to have been covered in several security conferences last year, for example this one.

If Only Someone Could Do Something…

There have been internal Team Kodi discussions on how to manage this risk, ranging from disallowing third-party repos completely, through to only allowing addons to update from their original repo, and on to the official stance of leaving things as they are as all of this should be the user’s responsibility anyway. Another issue is that there are cases which complicate any such restrictions, such as the use of testing “beta” repos for unstable versions of addons either under construction or for adding new features. This most commonly applies to skins, but also when addon authors make early or “bleeding edge” versions of new or existing addons available for public testing using this method.

In the case of the built-in official repo, each and every addon submitted to it is thoroughly reviewed, examined and tested by the repo maintainers (all Team Kodi members) to ensure it poses no risk to our user base. There are also limitations placed on addons – such as containing no pre-compiled, obfuscated or executable code (“binary blobs”) – all to try and stop our addon update system becoming a distribution path for malware. For third-party repos though, no such checks are, of course, performed by the team. So for each repo to be installed, the user – that means you! – should consider where it has come from, and whether they trust the author or organisation that has supplied it. Ask yourself whether they maintain such diligence over what is included in the repos they provide.

For cases such as the well-known individual addon author and their beta repos containing only their own work, the risks are often minimal. The “all-in-one” style repos, though, obviously offer a significantly higher risk of problems, especially for those that just seem to scrape any and all repos that they can access on the net, often without author agreement or consent. This is why many such repos are included on the Team Kodi banned addons list, although their common inclusion of banned piracy addons would place them on the list anyway. It’s also why Team Kodi offers no support for “builds” which pre-install addons or repos, as this is another common gateway to malware problems. And for those who may be under the illusion that this is just a hypothetical scenario, the stark reality is that such hijacking cases, “code flame wars” and distribution of malware-infected code have all actually occurred in the past using these exact methods. It is a genuine and real risk.

Team Kodi and its members are working towards improving the addon/repository infrastructure. A lot of tools have been developed in the last few years. Some examples of this include:

In conclusion, then: before you install any third-party addon, repo or build onto your Kodi device, pause and consider whether you really trust the source you’re getting it from and any repercussions that may result from that install.

Kodi Addons

Oblivion Streams Kodi Addon: Sports & IPTV Streams

Are you looking for free sports & IPTV links in Kodi? The Oblivion Streams Kodi addon is a top source for live channels pulled from the internet. Our guide below includes tips, tricks, and information about Oblivion Streams Let’s have a look!   Oblivion Streams Kodi Sections After you install the addon, you’ll see the […]

The post Oblivion Streams Kodi Addon: Sports & IPTV Streams appeared first on Kodi Tips.

Kodi 19 gets a codename

It’s that time again. After unleashing Kodi v18 Leia into the wild, it’s time to give the upcoming Kodi 19 a codename.

As usual, our users suggested a myriad of names, most right up our alley, some less… erm… “appropriate”. After compiling suggestions from the community thread, Facebook and Twitter, we arrived at the top 10 list:

  • Magneto
  • Mars
  • Marvel
  • Marvin
  • Matrix
  • Megatron
  • Merlin
  • Metropolis
  • Mordor
  • Morpheus

At first glance it seems a consensual list. Nothing out of the ordinary and, with the possible exception of “Mars”, all science fiction related. Next, we needed to decide what to do: follow the users’ top suggestion as we’ve done in the past? Have team members vote to decide the name? Or maybe pick a completely different codename for Kodi v19 – Kodi “Muppet”, maybe? With so many great suggestions, we decided a team vote was the way to go.

So we did, and “Matrix” won the vote. And then all hell broke loose. Some team members argued we should be less predictable and geeky, that we could use some out-of-the-box thinking, choose something completely different, etc. What ensued was truly horrific. Geeks cursed each other, pizza boxes got thrown, beer was spilled, perfectly-formatted CSS insults flew, moms’ basements destroyed all over the world. I mean, spilled beer! Utter madness.

Bottom line – with such a great list of suggestions and a team vote, we still couldn’t reach an agreement. And, for a while, we actually contemplated settling for Kodi “MultiPass”.

Nahh, just kidding! The users have spoken, the team has voted and, in the end, geekiness has won!

Kodi “Matrix” it is.

Kodi “Leia” 18.2 Release

Just when you thought we were all having a rest for Easter, here’s some surprise news for you: Kodi “Leia” 18.2 is ready to roll. The sun is shining and the sky is blue here in western Europe, and we’re all tied to our keyboards to bring you the latest Kodi loveliness. We’re kind like that.

In keeping with the 18.x maintenance release cycle, this is a bug fix release, with no real new functionality. What’s worth noting, however, is how we’ve identified and managed the bugs this time. We’ve always valued high-quality bug reports, and, for this reason, for 18.x we implemented an issue template and an automated verification system in the GitHub issue tracker. This makes the bug reports more complete, and gives the Kodi developers a better chance to pinpoint problems more accurately and fix them more quickly. The aim is to solve the problem of waiting for proper full debug logs, samples and suchlike, hopefully saving a lot of time and getting issues resolved more quickly. Hopefully, you can see the results of this new process in the 18.x bug fix releases.

For this 18.2 release we are also grateful to have received many code contributions from outside Team Kodi. With this help we were able to fix performance and dependency regressions in our GLES rendering path. Similar fixes were contributed for the AML platform, which really hasn’t received much love over the past years.

VAAPI on Intel has gained some corrections for interlaced content that toggled interlaced flags during playback, and therefore caused stutter by reconfiguring the decoder.

Amongst other things, work has continued on Kodi’s music experience: database access speed has been optimised as well as improved import functionality. Similarly, there have been fixes and improvements across all aspects of PVR, with a couple of particularly nasty bugs sent on their way.

You can also find a huge number of improvements for the Android platform. Because of the automated Google tests done in the Play store, we were able to track down and resolve a lot of issues revealed by those “drunken monkey” tests.

Beside all the fixes, we have introduced a Codec Factory (Android only) where power users can configure HW-Decoder usage in a fine-grained way. Most box sellers only provide usable codecs for formats which they use to sell content. Other format support tends to be poor, and therefore a configurable heuristic-based codec and video dimensions was added. The settings can be configured by the user in human-readable and writable XML format. More information can be found in the related pull request.

We will continue to work on Leia: an 18.3 release will be drafted once we have important fixes for this release. In the meantime, development on version 19 M* has begun. We will officially announce its new codename shortly. A small spoiler: “May the force be with you – always”. But this time we will switch universes (and here’s another hint: you might find it on GitHub already if you know where to look…).

The full v18.2 changelog can be found in our GitHub milestone. If you want to read back on what was actually changed in v18 itself, you can find the corresponding articles in the blog posts – Kodi 18Kodi 18.1.