Web lists-archives.com

Re: .deb packages and security

On 6/4/2018 3:09 PM, Dan Purgert wrote:
Anil Duggirala wrote:
I know installing .deb packages downloaded from websites is not a good
practice in terms of software management in Debian. I would like to
know if I should have security concerns when installing a .deb package
"manually" (using gdebi for example) ?

Do you trust the provider of the *deb package?  If so, you should be
fine.  If you want to take it a step farther, see if there's a (sha256)
checksum for the package.

Note that checksum (sha512) and key verification are two separate things:

- checksum will insure that the file is not corrupted
- key verification will insure that the file has not been tempered with

So both steps is a must!

John Doe