Request for simplified instructions for downloading and installing .tar.gz applications - Ventoy
Tom Mitchell
niftyubuntu at niftyegg.com
Tue Aug 2 19:56:05 UTC 2022
On Mon, Aug 1, 2022 at 10:17 PM Bret Busby <bret at busby.net> wrote:
>
>
> Whilst I have been using Linux, of various distributions, for a couple
...
> applications that are only available as .tar.gz files.
>
> Now, this ventoy thing has appeared (and, has previously been
> discussed),
Been discussed before... now I need to look.
There is no easy and safe way to install a tar archive of files without
it being sourced from a very trusted source.
In this case a VERY VERY trusted source.
It is a mini distribution onto itself and has all the risks of a distro.
Step zero: backup the system. in a way you know, trust, understand and
can verify.
Step one: before uncompressing verify the checksum of the file!
Step two: Create a no privilege account.
Step three: log out and login with the no privilege account.
Step four: check the contents of the gz file. Make sure there is no
Trojan horse appended to useful stuff.
Step five: Check the contents of the archive tar -t or tar --list. or
% tar -tvzf file.tgz
Inspect the files for executables, locations, owners and
permissions that are unexpected.
Step six: in a dir constrained to this user directory extract and inspect.
Step seven: there is an install script or tool. Inspect it.
Step eight: install it; run and load a USB stick or two.
Step nine: logout, log back in and let system verification checks run.
Step ten: load images on it and have fun.
N.B. when you boot it, it has physical access to the machine and
anything copied to it can just run.
Opinion... It is a very cool idea. I am off to clone the git tree
and give it a hard look, perhaps build my own tar archive.
More information about the ubuntu-users
mailing list