some sort of validation about a .deb package when a .deb package is installed.
I had asked this at
but just putting it for record. If there is a bug or feature request
already opened up about the issue please direct me to it, if not would
a bug-report be entertained ?
I was not able to elaborate my query as time was short hence
Sometimes, you go to a remote location and need to install a package
or group of packages and internet is not available. So the only way
I'm able to install the package or group of packages is by doing
$ sudo dpkg -i filename.deb filename2.deb and so on and so forth
$ sudo apt install filename.deb filename2.deb
Now for the sake of argument and to make it easier, let's also assume
that the package index is updated remotely. If nothing else then just
copying the lists which are generated and kept in /var/lib/apt/lists .
If both the systems share the same hardware architecture i.e. i386 or
amd-64 then there shouldn't be any problem. At least there hasn't been
as I have done it in few places.
Now the only problem is when I'm installing the .deb package either
using dpkg or apt install there doesn't seem to be a way to know that
the package hasn't been compromised in any way or is there?
I am assuming and presuming that the package lists at
/var/lib/apt/lists have not just the name, release version,
description but also checksums such as md5, sha1sum, sha256sum and so
on an so forth.
Most of the tools do show that information, for instance -
[$] axi-cache show apt
Maintainer: APT Development Team <email@example.com>
Replaces: apt-utils (<< 1.3~exp2~), bash-completion (<<
1:2.1-4.2+fakesync1), manpages-it (<< 2.80-4~), manpages-pl (<<
20060617-3~), openjdk-6-jdk (<< 6b24-1.11-0ubuntu1~), sun-java5-jdk
(>> 0), sun-java6-jdk (>> 0)
Depends: libapt-pkg5.0 (>= 1.3~pre2), libc6 (>= 2.15), libgcc1 (>=
1:3.0), libstdc++6 (>= 5.2), init-system-helpers (>= 1.18~),
debian-archive-keyring, gpgv | gpgv2, adduser
Recommends: gnupg | gnupg2
Suggests: aptitude | synaptic | wajig, dpkg-dev (>= 1.17.2), apt-doc,
Breaks: apt-utils (<< 1.3~exp2~), manpages-it (<< 2.80-4~),
manpages-pl (<< 20060617-3~), openjdk-6-jdk (<< 6b24-1.11-0ubuntu1~),
sun-java5-jdk (>> 0), sun-java6-jdk (>> 0)
Description-en: commandline package manager
This package provides commandline tools for searching and
managing as well as querying information about packages
as a low-level access to all features of the libapt-pkg library.
* apt-get for retrieval of packages and information about them
from authenticated sources and for installation, upgrade and
removal of packages together with their dependencies
* apt-cache for querying available information about installed
as well as installable packages
* apt-cdrom to use removable media as a source for packages
* apt-config as an interface to the configuration settings
* apt-key as an interface to manage authentication keys
Tag: admin::package-management, devel::lang:ruby, hardware::storage,
hardware::storage:cd, implemented-in::c++, implemented-in::perl,
implemented-in::ruby, interface::commandline, network::client,
protocol::ftp, protocol::http, protocol::ipv6, role::program,
scope::application, scope::utility, sound::player, suite::debian,
use::downloading, use::organizing, use::searching, works-with::audio,
Now when installation is happening and the index is updated, if I do
either a $sudo dpkg -i Packagename.deb or $ sudo apt install
packagename.deb is there some checksumming to know if the package
being installed is correct or fishy ?
What if I were an evil man . I could easily extract the archived .deb
package, extract it, add $ my evil thingie (say a key logger), re-pack
it and then copy the same in the other person's lappy without him
knowing (A classic man-in-middle attack) . Even if the sha256sum is
there as can be seen by invoking any packagename in $ axi-cache show
$PACKAGE-NAME it wouldn't trigger that a false .deb has been trying to
install . Is this true ?
Look forward to know more.
Shirish Agarwal शिरीष अग्रवाल
My quotes in this email licensed under CC 3.0
EB80 462B 08E1 A0DE A73A 2C2F 9F3D C7A4 E1C4 D2D8