Downloaded .deb safe?

Stanislas Breton stanislas_breton at yahoo.co.uk
Sat Apr 12 22:07:59 BST 2008


Donn wrote:
>> practice and inspect the source code. If you're unable to inspect the
>> source code, or don't consider yourself technically competent to inspect
>> the source code for possible malware content, then don't install it.
>>     
>
> But the deb is a compiled file and may have been made malicious by changing 
> the code before producing the deb. It's a real conundrum that can only be 
> solved by trust and that means using trusted repos or compiling the source 
> manually.
>
> \d

Well, quite. The only relatively sure means of installing a safe package
is to either inspect and compile the source code yourself, or have it
audited for vulnerabilities by someone with a hell of a lot to lose ;)

Where this leaves Ubuntu's support for "Restricted Drivers" or the
contents of Canonical's commercial repository is an interesting question!






More information about the kubuntu-users mailing list