Web lists-archives.com

Re: .deb packages and security




-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, Jun 04, 2018 at 07:20:34AM -0500, Anil Duggirala wrote:
> hello,
> I know installing .deb packages downloaded from websites is not a good practice in terms of software management in Debian. I would like to know if I should have security concerns when installing a .deb package "manually" (using gdebi for example) ?
> Is it possible that by downloading the skype .deb package and installing it, I am creating a security vulnerability in a Debian system?

Yes.

I know, I know.

Take a step back: it all reduces to trust. Debian packages are signed
by their maintainers: by verifying the signature against the published
public keys (the Debian keyring) I can assess that the package comes
from a maintainer [1], and that it hasn't been tampered with in its way
to me (whether it was wget, curl, apt, file copy, or USB-on-pigeon).

Whether I trust the Debian maintainers is up to me...

Now where did you get your skype package? Is it signed? Do you have the
signer's public key? Can you assess whether this public key has reached
you without having been tampered with?

If you can answer those questions, then you have all of the above.

Now...

I don't know anything about the Debian skype package. But I *know* that
skype is not free. I doubt that the skype package brings along the skype
binaries: I expect it to be just an installer which grabs whatever
binaries are needed off the internets. And there's the real elephant
in the room.

Me? I wouldn't trust skype as far as I can spit. Personally I'd run it
in an isolated environment (if I had to, at all). Perhaps on its own
hardware. Raspis aren't that expensive these days.

Cheers

[1] ...or from someone who got control of the maintainer's private
   key.
- -- tomás
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlsVOQcACgkQBcgs9XrR2kaJtACfWizxnxst6IeYOza1U3DEoZQZ
d3sAn06NK5pHnRV7BgmUI8nNndb2elFu
=Cmo4
-----END PGP SIGNATURE-----