Downloaded .deb safe?

Myriam Schweingruber schweingruber at pharma-traduction.ch
Sun Apr 13 14:17:35 BST 2008


On 13/04/2008, Martin Laberge <mlsoft at videotron.ca> wrote:
> On Saturday 12 April 2008 14:48:31 Nigel Ridley wrote:
>  > How does one make sure that a downloaded .deb is safe? I mean, how does one make sure that
>  > there are no malicious payloads etc.?
>  > The file in question is the winff-0.41-i386.deb downloaded from:
>  > http://www.winff.org/
>  >
>  > It looks like a very useful app (for my daughter's 'chipod' (Chinese MP4)) but I want to
>  > make sure it is safe before installing it.

Well, one should at least point out that if you use the official
sources of a distribution, the packages usually are signed, which adds
a level of trust. This simply means that the package has indeed been
uploaded to the archive by an "official". As the signature is a
GPG-Key, it's most unlikely that this file has been corrupted by any
other person than the signer.

All packages in the official Ubuntu and Debian archives are signed, so
it really is not necessary to worry too much for these :)

Now, anything coming from the outside is indeed far more risky...

Greets

Myriam
-- 
Protect your freedom, join the Fellowship of FSFE!
http://www.fsfe.org
Please don't send me proprietary file formats,
use ISO standard ODF instead (ISO/IEC 26300)



More information about the kubuntu-users mailing list