Can I delete Muse Hub after installation of Muse Sounds?

• Oct 10, 2023 - 14:23

Hi,

Can the Muse Hub installer be deleted from my PC after I have downloaded Muse Sounds?

As I mentioned in a previous post a while back, I'm a bit uncomfortable (security-wise) with the fact that Muse Hub is always connected, running in the background. I realize I'd have to reinstall Muse Hub occasionally to receive updates, but I'd prefer to do that than have it always running. (And yes, I know you can click the "Quit" button, but I was wondering about actually uninstalling it ... I just got as new PC and want to keep it as 'clean' as possible regarding unnecessary apps/programs).

Thx!

Comments

Dec 23, 2023 - 00:34

No idea if that would work or not. The other idea would be to just uninstall the HUB and only install it every once in a while. Personally I only quit it. I spent a lot of hours monitoring my system when the whole "HUB isn't safe" thing happened. On Windows I saw zero indication of any activity on that PID no mater what I used to watch it.

Reply

Dec 23, 2023 - 15:38

I've been trying Linux Mint (I have double boot). It isn't unfriendly, You just need to adapt a bit. Most programs install in a very simple way, and many of them are portable (those that can be downloaded as an appimage). And, most important, on Linux MuseScore is much faster. With Windows 10 I've been experiencing sluggish responsiveness to simple commands as selecting a note or dragging the score. With Linux it doesn't happen.

Reply

Dec 23, 2023 - 15:27

This is a very good proposal. I'm considering Oracle Virtual Box + Linux, both free software. One problem with simply closing Muse Hub is that, seemingly, it keeps going at the background with the purpose of using part of the user's Internet bandwidth to allow torrent-like P2P download for new users. According to some posts, even uninstalling Muse Hub something is left behind (apart from the sounds, I mean!)

Reply

Dec 23, 2023 - 17:16

Sure. We all have to use what works best for each of us. I have no trouble with MU4 in W10 or W11.

I believe it was a Linux user that first brought up the HUB problem. There was much discussion about what could happen with the HUB as far as torrent problem goes. As I recall, no one actually proved that the usage ever happened. Only that they thought it might happen.

Reply

Dec 23, 2023 - 19:47

Unfortunately, many things that might happen but don't happen, or there is no evidence that have happened, eventually do happen. I have a recent example, completely unrelated to music or MuseScore, but relevant to these concerns. There is a company that provides genetic genealogy services online called 23andMe. People submit a sample of saliva and they make an ancestral ADN profile that allows to find relatives, ancestors and so on. Recently, 7 million records of genetic data were hacked. It was very unlikely and the company allegedly fulfilled all the safety rules and standards, yet now their customers' genetic into has been seriously compromised: https://www.theguardian.com/technology/2023/dec/05/23andme-hack-data-br…

Reply

Dec 23, 2023 - 21:22

Yes, and many do not. Banks and power grids are hacked now and then. I'm not saying don't be cautious. But just because someone cries wolf, doesn't mean there is one. But what do I know. I'm on my third marriage.

If someone wants your info bad enough, you won't be able to stop them. Yes, I know, no need to make it easy for them. But still.

Reply

Dec 24, 2023 - 00:58

I agree almost completely that most of the time nothing in productivity software should modify anything at system level without permission, and such permission should be clearly required and safely deniable. Creating, editing and handling files involving user data (such as is the case of scores) doesn't need to modify any system files. The proof that this is possible is the existence of portable software, which by the way I use whenever is available. Another proof is that appimages are now quite standard in Linux.
The only exception is to install, uninstall or upgrade non-portable software, but always under the control of the user.

Reply

Dec 24, 2023 - 04:33

But I have at least two other paid programs that have root access. I didn't even know about it until I did some digging about the HUB. The claim is that root access is bad. I've seen no proof. None.
Whenever you install anything, you have to give it permission to make changes to your system. I also use some portable software. But only because I can have them on a usb. Not because they are safer. I have no way to know that they are safer. They can still make changes to my system.
Not sure what user data is involved in creating a score. Unless you count saving to .com, which I have no interest in.
It's tricky to prove something for Windows based on how Linux works.

Reply

Dec 24, 2023 - 08:04

Many paid programs have root access, many have telemetry which you cannot easily disable and so on. That's one of the reasons why I prefer free software, it is usually more transparent. The fact is that you cannot resist or prevent what you are not aware of, but if you know there is a potential risk, some of us at least prefer to avoid it.
Regarding user data, I didn't mean personal information like IP, name or email, but data created or edited by the user when creating the score: notes, durations, dynamics. This certainly doesn't need to be in system folders.
Finally, you are right, but I'm not trying to prove anything. I'm just saying that both in windows and Linux you have portable applications, which, indeed, can modify things in your system if you allow them to, for instance, accepting the default directories where they store things like preferences, templates, etc, but you can choose to locate them at the program's portable directory instead.
Anyway, i get your point: some of us prefer to be on the safe side and you don't care as long as there isn't a real and proven threat. That's OK from the user's point of view. But it's not from the company's. By the same token that in many cases they provide a checksum to give tranquility to the user that the files have not been corrupted, they should ensure that the root privileges are temporary, restricted to known actions and in a way it can effectively be opted out.

Reply

Dec 24, 2023 - 08:49

To answer your question if Muse Sounds Manager "has removed the requirement of permanent root privileges, asking for it only "when required to install packages to a system folder". It would be interesting if some Linux user who has installed the app could confirm this."
I do confirm. No more torrent service permanently running in the background with superpower privileges for Linux. Windows and Mac users must keep their completely insecure Muse Hub, since they do not care.
For the rest, i will stay far away from this conversation.

Reply

Dec 24, 2023 - 17:31

fmiyara.
There is no free version of my Focusrite software. I do care about being on the safe side. It isn't fair to say that I don't care. Is there potential risk? That's what I don't know. It isn't that I don't believe one way or the other.

It might be different if I hadn't spent so much time monitoring and studying. There just wasn't any evidence. Sure, that may not mean anything. I may have been monitoring the wrong thing. I might be totally off base. But I just didn't accept that just because someone said there might be a problem, makes it so. I like to check things myself, sometimes.

Reply

Dec 24, 2023 - 19:35

Sorry, no offense intended. You are right, you do care if you spent hours monitoring.
I didn't monitor anything because I don't have the knowledge and because not being certain and having heard some concerns, I don't dare to install Muse Hub. But what I do know is that root privileges could be potentially used to cause harm, either intentionally (by a hacker) or unintentionlaly (for instance, overwriting or deleting something that is necessary for other applications).

Reply

Dec 24, 2023 - 20:31

fmiyara,
None taken. I'm just trying to figure all this out. Where did you hear that root privileges could "unintentionlaly (for instance, overwriting or deleting something that is necessary for other applications)." Seems unlikely with properly written software on an OS that is running correctly. But there is the crucks of the matter. What is well written. It is claimed that the HUB doesn't need such privileges. Not being a programmer I don't know. I would think that a group clever enough to write MU4, would have some inkling of what they are doing. It has been claimed that because the HUB is not open source, then the developers were up to no good. I almost feel that those who believe that should just not use the software. Seems simple enough.

Anyway, I really didn't mean to dredge all this up again. Just trying to understand things. For me, There are many things that need to be fixed in playback that are more important.

Reply

Dec 24, 2023 - 23:05

As an example, I have experienced in the past (more than once) the need to reload a DLL because some newly installed application overwrote it, without asking, with one with the same name. And this is much easier to say than to do, it means a lot of web search to figure out what the problem is... after initially falling into dispair, particularly not being a computer expert. These memories make me a bit too cautious, I know.
I agree that there are many other problems, both playback and usability ones.
But to be honest, the graphic output is outstanding, I've finished a 20 page chamber music score (an octet) and the result required very few edits, mostly system and page breaks, to render an optimum layout, almost no artifacts, excellent autoplacement, both for the general score and parts.
EDIT: The part generator has problems, particularly with rehearsal numbers. Sometimes they are reversed, sometimes one is lacking, and when trying to update nothing changes. The order can be corrected by resequencing, but the only general solution is to reset, losing all formatting

Reply

Dec 25, 2023 - 00:11

I can't say I've ever had that kind of overwriting problem. Would that be a software or OS problem?

I use notation software for playback almost exclusively. So for me cleaning up the very sloppy solo fonts is a big deal. As well as the violin sections swelling on most notes.

Reply

Dec 28, 2023 - 00:21

EDIT: Here I've found a description of things that may happen when some software gains root privileges on systems like Windows or Linux that base their protection of critical files (and hence, their security) on reserving for the root account the permission to make critical changes: https://en.wikipedia.org/wiki/DLL_Hell
The article says that this can be accidental or malicious.
Again, no proof that this has already happened in the case of MuseHub, but it could happen

Reply

Dec 28, 2023 - 07:20

Exactly. Those things include protecting system files through admin permissions. When overriden in an unattended way we can fall in the pre-2000 situation. The word unattended is important here, since when installing something having been asked to grant temporary permission by acting as administrator in general one assumes it is indeed temporary until the install is complete, except in some cases where it is unavoidable, like the case of an antivirus (which in general are reliable --even if they probably spy on you, they won´t make harmful changes--). But granting that permissions sometimes makes it possible that some DLL's with the same name be overwritten. It is not just a possibility, it happened to me well after year 2000.

Now, when something that cannot be thoroughly trusted keeps going at the background with critical privileges, anything can happen; not saying that it happens or will happen, but the back door is open...

Reply

Dec 28, 2023 - 08:55

It works! Just downloaded MS4.2.0, which runs surprisingly well on my 12 year old Windows 10 PC with its mechanical hard disk and only 4 GB RAM.

Opened a copy of a MS3 file, (to avoid accidents), went to the mixer and loaded Pianoteq 8 VST with Classical Guitar. Everything still ran smoothly and it sounded great!

Reply

Dec 28, 2023 - 17:54

fmiyara
As I understand the article, that happened to you because you are not on Windows. Which adds to the list of reasons Linux isn't for me.
I have been unable to determine that anything from the HUB is running in the background when I quit it or even delete it and run software to find and delete any traces of it.
How do you know it is running in the background?
I need something more than "it might be possible". That doesn't tell me much. There are many things much worse that might be possible. Hackers aren't interested in individuals, as such. They hack banks and such for the mass info they want. And now AV can't be trusted? Better not go out side because because of all the security cameras.
Sorry, I'm not trying to be difficult. Just trying to verify.

Reply

Dec 28, 2023 - 20:35

That's just it. Just because someone says there are security concerns, doesn't mean there are. Why are alarm bells ringing? I'm all for being safe. But I need a bit more than somebody said there might be a problem. I really am interested in knowing. I might be totally wrong. So be it. But no one has offered anything. I know there are those on the forum who have tried in the past. When I try the things they suggest, I get nothing. I run AV and a firewall because there are real threats out there. If the weather report calls for rain, I prepare for rain. That is a demonstrated cause and effect. Even if it doesn't rain. If someone says there might be security concerns, I need a little more.
BTW, glad to here you got 4.2 running on your computer. For the most part it seems to be Muse sounds that need all the extra firepower. I know it is missing a lot of things you need.

Reply

Dec 28, 2023 - 23:50

Unfortunately we have no definitive way of knowing whether it's safe, (because it's closed source), but I'm not allowing a non-OS service with admin privileges to run on my computer except for a tried and tested antivirus from a trusted company.

There should be no need for an update service to run with such high level access. I'm using a third party VST for testing MS4 and if I want Muse Sounds then I'll use a Windows VM to sandbox it and then move the sound files. However, Pianoteq 8 is so good that I don't expect to need Muse Sounds.

MS 4.2 uses a massive 400 MB of RAM to run, (3.7 uses 100 MB), but it performs surprisingly smoothly with Pianoteq 8 Classical Guitar even on my state-of-the-ark Windows 10 PC. The MS4 UI is a definitely a work of beauty but guitar playback is a step backward due to lack of support for the TAB Ring plugin. The continued lack of a semi-bold or bold font for guitar TAB is also hugely disappointing. It seems that all the "huge steps forward for engraving" only applied to standard notation.

Reply

Dec 29, 2023 - 01:05

"There should be no need for an update service to run with such high level access."
I am not a programmer or or OS expert. I have no idea if this is true or not. This statement has been made many times. There are plenty of closed programs, including the OS, that run on our computers all the time. We have little idea what they are doing in the background. Just because they may not be causing trouble now doesn't mean that they won't in the future.
MS4 with Muse sounds and a full orchestra score uses over 700 MB. Over 1 G while playing. And 20% CPU. Sibelius uses 1300 MB while playing the same score, but only 2%CPU. Sibelius also has 35 GB of sounds, unlike MS4 with 13 GB.
State-of -the ark. I love that. I have one of those. From when XP was new. Everybody hated XP because you needed 128 MB of ram to run it.

Reply

Dec 29, 2023 - 01:27

Most OSes have at some time caused (unintentional) trouble, generally through malicious exploitation of a vulnerability. Similarly with AV software. These are expected to need system level privileges so you choose your supplier with that in mind.

MuseHub is not OS level software. If it was normal for such software to install a background service with admin permissions for updates then no-one would be raising any concerns. The fact that many people have made the statement is an indication that this is not typical and that it has security implications if there is a vulnerability in the code.

On the other hand, Musescore plugins carry a huge security risk but I don't know how many users vet them before use even though we have no idea whether the programmer is trustworthy or competent. A plugin could wreck your computer very easily as it is not restricted to working with Musescore. For example it could delete random files from your computer.

Reply

Dec 29, 2023 - 18:46

OK. I admit to misunderstanding the statement.
But my experience with other software that seems to have similar access does not tell me that access is automatically wrong. That's what I'm trying to find out. Everyone has an opinion.

Reply

Dec 29, 2023 - 18:58

It's unusual enough to raise concerns. Developers obviously don't deliberately add vulnerabilities to their code but even mighty Microsoft fixed another 60+ vulnerabilities in Windows 10 in 2023. So it's unlikely that the MuseHub team have made perfect code. Hence I will proceed with cation.

I don't have any other software with similar access.

Reply

Dec 29, 2023 - 00:41

Well, nowadays I use Windows 10 90 % of the time and Linux Mint the remaining 10 %. Its a matter of having a bit more time to migrate completely to Linux, which is far safer. Most Linux users don't even use an antivirus, see https://help.ubuntu.com/stable/ubuntu-help/net-antivirus.html.en?extern…

But what I described (and then found in the wikipedia article) happened to me using Windows XP and Windows 7 (No DLLs in Linux as far as I know, but there are shared objects, a similar concept), each one 100 % of the time in those days.

Anyway, I guess none of us can provide you with a proof that there is a risk

Reply

Dec 29, 2023 - 01:30

I'm not saying that there is no risk. Just turning on any computer is a risk. Yes XP and W7 had all kinds of vulnerabilities. AV was always catching something. I can't remember the last time I got a report that AV caught something. Not sure what that means either.
I can't use Linux for what I need.

Reply

Dec 30, 2023 - 02:47

bobjp,
Almost for everything that can be done on Windows you can find a Linux application that allows similar capabilities and performance. And for many Windows-only applications there is a Linux tool called Wine (https://wiki.winehq.org/Wine_Features) that emulates windows and allows installing those applications (both 32 and 64 bit), so I'm curious if I may ask, what kind of applications make it impossible for you to use Linux? Of course you may simply dislike it, or consider it is not worth the time needed to try it or learn new applications, but if it is just the lack of a very specific application, which would it be?

Reply

Dec 30, 2023 - 17:00

fmiyara
Yes, I am well aware of similar applications and Wine. I have experimented with Linux on occasion. I ran into limitations using Wine. All documented when I researched them. I know that both iOS and Linux are reported to be more secure that Windows. And I'm not saying Windows is better. In my family, everyone has turned to the dark side (Mac). :) I'm still waiting for someone to give me a compelling reason to switch. Everyone uses the system that works for them. Yes, I could learn Linux. But I don't have to. If I were to switch to Linux, it would have to be on its own merits. Not as a substitute for Windows. I have used Windows since W95. Is it perfect? Hardly. But Linux is different enough that I'm not willing to invest the time to really use it.

Reply

Dec 25, 2023 - 00:03

@bobjp

re: "Seems unlikely with properly written software on an OS that is running correctly." Yes, that is the crux of the matter. It would seem unlikely that MuseHub is intentionally malicious but MS.com have not got the best track record when it comes to quality control with their website software so this does not inspire confidence. The biggest risk is that the code could have an exploitable vulnerability and this would be made worse with root access.

re: "I would think that a group clever enough to write MU4, would have some inkling of what they are doing." The group of developers working on the open source MS4 desktop software does not appear to the same group that develops MuseHub, which is managed by https://musehub.zendesk.com/.

In any case, MS4 has had many bugs fixed since its launch and many waiting to be fixed despite the cleverness of the group, and I'm not demeaning them, they are a clever group but MS4 is clearly a complex project with probably less resources available than its paid for competitors. The mitigating factor here is that the desktop software runs with user privileges whereas the hub runs with root.

Each user should make their own risk assessment of MuseHub and act accordingly. It may well be safe but a VM will give me more confidence when I finally use MS4. (At present it has too many functions missing which are part of my workflow but maybe by Christmas 2024 it will be ready.)

Reply

Dec 25, 2023 - 00:39

yonah_ag

"the code could have an exploitable vulnerability"
And my question has always been "Does it?" Maybe it does. Maybe it doesn't. I don't know. No one has demonstrated that it does.
Doesn't make any difference whoever came up with both programs. They still had to know what they were doing.
Any new program can have bugs. MU4 is, of course no exception. But many things that users call "bugs" aren't. Mu4 doesn't do something the way that 3 did, so the poster calls it a bug. Some are user error. I know the list of missing functions in 4 is long. I'd be surprised if they are ever all returned.
Yes, we must all decide what is important. I'm after playback. Even with the playback problems that 4 has, it is still much better for my needs than 3.

Reply

Dec 25, 2023 - 01:10

"Maybe is does, maybe it doesn't". Sure, all programs have bugs but not all have root access.

I am only referring to bugs logged as such, not to differences from MS3. At the moment there are too many features missing from MS4 to make it even worth considering: it is effectively crippled so the improved playback is irrelevant. I expect to make some playback improvements to MS3.7 in the new year and this may be enough for me to never require MS4.

Reply

Dec 25, 2023 - 02:11

And root access automatically make it bad? Again maybe it is, maybe it isn't. That's the question no one has answered. There are opinions only.
I certainly get that there are enough things missing from MS4 that you need for your workflow. But that doesn't make it crippled and worthless. I know that you do a lot of guitar work and that MU4 doesn't have many of the things that you need. You know that I have said that even though I play guitar, I have little interest in writing for it. I've done a few things. But honestly I have yet to hear any font that does the instrument justice. How you hold the instrument. The thickness of your fingers. The pressure on the strings. The gauge of the strings. The thickness of the pick (if you use one). The wood used in construction. Are you standing or sitting. Big room. Little room. Outside. All under the control of the player and all make a difference. None are in a font. Should they be? I realize that the point of notation software is to make notation. I know that to begin to get what I want is to use a DAW and a few thousand dollars of libraries.

Reply

Dec 25, 2023 - 06:37

"And root access automatically makes it bad?"
Not automatically but for some of us it alerts us to a potential risk, especially as there are, as you say, only opinions and no definitive answers. My background is in I.T. so maybe I'm just over cautious.

Your comments on guitar fonts are spot on, (don't forget steel string vs. nylon string!), and since playback is secondary to me I am happy to wait for MS4 to settle down. I wonder if all instrument fonts are equally deficient but only apparent to those who play that instrument? Most of the orchestral instruments in MS3 sound good to my ear.

MS3 is still great for me, especially in 3.7 guise, and lacks only a few features, the main one being a bold font for guitar TAB, (although I now have a plugin for this.) MS3's control over score styling and its plugin API have meant that I stopped using Guitar Pro a few years ago.

Reply

Dec 25, 2023 - 16:43

Nothing wrong with being over cautious. I'm not a programmer. Though many lifetimes ago I used to program in Basic. That was just for fun. But never went beyond that. I've built some computers from scratch and repaired many. All for fun.
I grew up playing trumpet and guitar. Not at the same time. Hmmm, that might be....never mind. Anyway, I was a music ed major so I had to learn the basics of playing all the instruments. The trumpet in MU3 is just blatty and dull. The trumpet in MU4...Well maybe better. But no respectable player would play as sloppy as that font. I've played in most every kind of group. I know what most instruments sound like and how they blend together. So that's how I write. Do the violins and flute sound good here? Would an oboe sound better? No one will ever see the notation. I might use something I write as the background in a video. But mainly just for me to listen to.

Reply

Dec 24, 2023 - 09:15

@fmiyara, re: "I'm considering Oracle Virtual Box + Linux, both free software."
I have recently been using a VM for the first time, (needed it at work to run Linux on Windows), and Oracle VirtualBox was required. It was really easy to configure and performance is good. I only needed google to work out how to share a data folder between Windows and the VM.

Reply

Do you still have an unanswered question? Please log in first to post your question.