Re: .deb packages and security
- Date: Mon, 4 Jun 2018 15:37:08 +0200
- From: john doe <johndoe65534@xxxxxxxx>
- Subject: Re: .deb packages and security
On 6/4/2018 3:09 PM, Dan Purgert wrote:
Anil Duggirala wrote:
I know installing .deb packages downloaded from websites is not a good
practice in terms of software management in Debian. I would like to
know if I should have security concerns when installing a .deb package
"manually" (using gdebi for example) ?
Do you trust the provider of the *deb package? If so, you should be
fine. If you want to take it a step farther, see if there's a (sha256)
checksum for the package.
Note that checksum (sha512) and key verification are two separate things:
- checksum will insure that the file is not corrupted
- key verification will insure that the file has not been tempered with
So both steps is a must!