Web lists-archives.com

Re: .deb packages and security




On Mon, Jun 04, 2018 at 03:37:08PM +0200, john doe wrote:
On 6/4/2018 3:09 PM, Dan Purgert wrote:
Anil Duggirala wrote:
hello,
I know installing .deb packages downloaded from websites is not a good
practice in terms of software management in Debian. I would like to
know if I should have security concerns when installing a .deb package
"manually" (using gdebi for example) ?

Do you trust the provider of the *deb package?  If so, you should be
fine.  If you want to take it a step farther, see if there's a (sha256)
checksum for the package.


Note that checksum (sha512) and key verification are two separate things:

- checksum will insure that the file is not corrupted
- key verification will insure that the file has not been tempered with

So both steps is a must!

While checksums and signatures ensure that you get what was offered, reproducible builds ensure that what was offered is what you were promised (i.e. that the binary package is a true representation of the application).

--
For more information, please reread.

Attachment: signature.asc
Description: PGP signature