Re: .deb packages and security

To: debian-user@lists.debian.org
Subject: Re: .deb packages and security
From: john doe <johndoe65534@mail.com>
Date: Mon, 4 Jun 2018 15:37:08 +0200
Message-id: <[🔎] cc36410c-1d55-5be5-5426-dc50c31a2f70@mail.com>
In-reply-to: <[🔎] slrnphaefu.3q1.dan@xps-linux.djph.net>
References: <[🔎] 1528114834.3988673.1395602768.5C7541E9@webmail.messagingengine.com> <[🔎] slrnphaefu.3q1.dan@xps-linux.djph.net>

On 6/4/2018 3:09 PM, Dan Purgert wrote:

Anil Duggirala wrote:

hello,
I know installing .deb packages downloaded from websites is not a good
practice in terms of software management in Debian. I would like to
know if I should have security concerns when installing a .deb package
"manually" (using gdebi for example) ?


Do you trust the provider of the *deb package?  If so, you should be
fine.  If you want to take it a step farther, see if there's a (sha256)
checksum for the package.


Note that checksum (sha512) and key verification are two separate things:

- checksum will insure that the file is not corrupted
- key verification will insure that the file has not been tempered with

So both steps is a must!

--
John Doe

Reply to:

Follow-Ups:
- Re: .deb packages and security
  - From: Darac Marjal <mailinglist@darac.org.uk>

References:
- .deb packages and security
  - From: Anil Duggirala <anilduggirala@fastmail.fm>
- Re: .deb packages and security
  - From: Dan Purgert <dan@djph.net>

Prev by Date: Re: Boot process related logs. What? Where?
Next by Date: Re: .deb packages and security
Previous by thread: Re: .deb packages and security
Next by thread: Re: .deb packages and security
Index(es):
- Date
- Thread