FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 08-13-2008, 04:01 PM
"Steve C. Lamb"
 
Default What is the best way to manage 3rd party debs?

On Wed, Aug 13, 2008 at 09:12:01AM +0200, Aniruddha wrote:
> I'm not worried about purposeful malicious intent (otherwise I would
> just use a chroot). I want to prevent an accidentally badly build deb
> from wrecking my system.

Seiously, this is going 'round-and'round. The true answer was given 2
days ago and still applies now.

If you don't trust the source of the deb, don't install it. Period.
There are many methods of checking what debs might do but many of them really
are you checking source. However instead of source of the program it's source
of the deb. You're pitting your knowledge and expertise against the
maintainer of the deb and, to be perfectly honest, if you cannot answer this
question nor accept the answers given after 3 days of spinning your wheels
then the chances of you catching anything other than the most obvious of
errors are nil. Obvious errors, btw, that are most likely caught by the deb
maintainer in the testing and build process.

If you are really, really, REALLY worried about the integrity of your
system and not going to take the advice of not installing debs you don't trust
here's the only answer for you.

Install VirtualBox, build a test machine, put your normal packages on
there, archive the image, get the deb and install it. If the VM isn't borked
it's clear, rearchive the updated image, install the deb on your real machine.
If it is borked, unpack the image to get back to a clean test environment.
That is the only practical way to test the stability of debs in the manner
you're looking for because it is no longer you trying to theorize what might
happen. It is now you directly observing what does happen. A far easier
thing to do.

--
Steve C. Lamb | I'm your priest, I'm your shrink, I'm your
PGP Key: 1FC01004 | main connection to the switchboard of souls.
-------------------------------+---------------------------------------------
 
Old 08-13-2008, 07:47 PM
Aniruddha
 
Default What is the best way to manage 3rd party debs?

On Wed, 2008-08-13 at 23:50 +0900, Osamu Aoki wrote:

> PS: Please remember that installing package created by someone is giving
> packager a full root authority of your machine.
>
>

Thanks for the tips and for helping me to remind the dangers ^^ .


--
Regards,


Aniruddha



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 08-13-2008, 07:50 PM
Aniruddha
 
Default What is the best way to manage 3rd party debs?

On Wed, 2008-08-13 at 12:01 -0400, Steve C. Lamb wrote:
> On Wed, Aug 13, 2008 at 09:12:01AM +0200, Aniruddha wrote:
> > I'm not worried about purposeful malicious intent (otherwise I would
> > just use a chroot). I want to prevent an accidentally badly build deb
> > from wrecking my system.

> Install VirtualBox, build a test machine, put your normal packages on
> there, archive the image, get the deb and install it. If the VM isn't borked
> it's clear, rearchive the updated image, install the deb on your real machine.
> If it is borked, unpack the image to get back to a clean test environment.
> That is the only practical way to test the stability of debs in the manner
> you're looking for because it is no longer you trying to theorize what might
> happen. It is now you directly observing what does happen. A far easier
> thing to do.
>

Using virtualbox is a great idea, thanks! Coming from Gentoo I have to
get used to the whole binary thingy. Thanks for helping me understand.

--
Regards,


Aniruddha



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 08-13-2008, 09:27 PM
Aniruddha
 
Default What is the best way to manage 3rd party debs?

On Wed, 2008-08-13 at 09:08 +0200, Aniruddha wrote:
> Thanks, I'm beginning to understand now. To make it more concrete I've
> written down what I think is the correct procedure to check deb files:
>
> 1) Run 'dpkg-deb -e *.deb' and read postinst, postrm, preinst, prerm to
> check if it contains the sentence '/etc'.
>
> 2) Run 'dpkg-deb -x *.deb' and check if doesn't overwrite anything in
> ' /etc' (or other important locations).
>
> Is this correct? Thanks!
>

I've also tried the dpkg --instdir= and --root=/ options in
combination with fakeroot but this didn't work


> # dpkg --instdir=/home/aniruddha/Programs -i nerolinux-3.5.1.0-x86.deb
> dpkg: `ldconfig' not found on PATH.
> dpkg: `start-stop-daemon' not found on PATH.
> dpkg: `install-info' not found on PATH.
> dpkg: `update-rc.d' not found on PATH.
> dpkg: 4 expected program(s) not found on PATH.
> NB: root's PATH should usually contain /usr/local/sbin, /usr/sbin and /sbin.

--
Regards,


Aniruddha



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 08-25-2008, 03:38 PM
Osamu Aoki
 
Default What is the best way to manage 3rd party debs?

On Wed, Aug 13, 2008 at 09:12:01AM +0200, Aniruddha wrote:
> On Tue, 2008-08-12 at 20:25 -0400, Joey Hess wrote:
> > martin f krafft wrote:
> > If these examples didn't make sense to someone, don't install third party
> > packages from untrusted sources, no matter how much checking you do..
> >
> I'm not worried about purposeful malicious intent (otherwise I would
> just use a chroot). I want to prevent an accidentally badly build deb
> from wrecking my system.

So far, badly created {post|pre}{inst|rm} has been the source of trouble
in this respect for me with Debian unstable itself from this respect.

Non-Debian package's quality check in this respect can be done
relatively simply by using mc to look into binary package. But you
never know what does the binary files do when executed unless you check
the source.

If you feel its needs to be inspected, I think it is time to rebuild it
by yourself and run lintian etc. to test its compliance to Debian policy.

Regards,

Osamu

PS: Please remember that installing package created by someone is giving
packager a full root authority of your machine.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 08-25-2008, 03:39 PM
Osamu Aoki
 
Default What is the best way to manage 3rd party debs?

On Wed, Aug 13, 2008 at 09:08:07AM +0200, Aniruddha wrote:
> On Tue, 2008-08-12 at 20:44 -0300, martin f krafft wrote:
> > also sprach Aniruddha <mailing_list@orange.nl> [2008.08.12.2023 -0300]:
> > > If I understand your correctly I can install deb from any 3rd party provider without fear of b0rking my system. If this is true I don't understand why you warn
> > > against checkinstall.
> >
> > checkinstall is used to create deb files and it's broken.
> >
> > If you install a third party deb, you should inspect its contents
> > exactly to make sure it doesn't touch files in /etc. Also check the
> > hooks. If there are no problems, then it's probably safe.
> >
>
> Thanks, I'm beginning to understand now. To make it more concrete I've
> written down what I think is the correct procedure to check deb files:
>
> 1) Run 'dpkg-deb -e *.deb' and read postinst, postrm, preinst, prerm to
> check if it contains the sentence '/etc'.
>
> 2) Run 'dpkg-deb -x *.deb' and check if doesn't overwrite anything in
> ' /etc' (or other important locations).
>
> Is this correct? Thanks!

Sort of ... but I usually focus package file in mc and hit return key.
That takes less typing.

Osamu


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 

Thread Tools




All times are GMT. The time now is 10:12 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org