[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: trusting .deb packages

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On July 24, 2018 9:43 AM, Dan Ritter <dsr@randomstring.org> wrote:

> On Tue, Jul 24, 2018 at 10:45:38AM -0500, Anil Duggirala wrote:
>
> > I am thinking about installing the Mega.nz app on my Debian Stretch installation. They provide a .deb package. Is there anything I can do to ensure this is a safe package? To know that this package will not create a security vulnerability on my system? What is the minimum security procedure to follow when installing third party provided .deb packages?
>
> Do you trust the people who wrote it?
>
> Do they provide the source?
>
> Do they give you instructions on how to build the source into a
> package?
>
> Are you competent to read and understand the source?
>
> What do you stand to lose if you place your trust in them and it
> turns out that they were incompetent or evil?
>
> -dsr-

In addition to this, be sure not to break Debian:

https://wiki.debian.org/DontBreakDebian
https://wiki.debian.org/DebianSoftware#Footnotes

Personally, I have a low degree of trust for Mega.nz, so caveat emptor.
Reply to: