Re: .deb packages and security
- Date: Mon, 4 Jun 2018 14:48:43 +0100
- From: Darac Marjal <mailinglist@xxxxxxxxxxxx>
- Subject: Re: .deb packages and security
On Mon, Jun 04, 2018 at 03:37:08PM +0200, john doe wrote:
On 6/4/2018 3:09 PM, Dan Purgert wrote:Anil Duggirala wrote:hello, I know installing .deb packages downloaded from websites is not a good practice in terms of software management in Debian. I would like to know if I should have security concerns when installing a .deb package "manually" (using gdebi for example) ?Do you trust the provider of the *deb package? If so, you should be fine. If you want to take it a step farther, see if there's a (sha256) checksum for the package.Note that checksum (sha512) and key verification are two separate things: - checksum will insure that the file is not corrupted - key verification will insure that the file has not been tempered with So both steps is a must!
While checksums and signatures ensure that you get what was offered, reproducible builds ensure that what was offered is what you were promised (i.e. that the binary package is a true representation of the application).
-- For more information, please reread.
Description: PGP signature