FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 08-12-2008, 04:46 PM
Aniruddha
 
Default What is the best way to manage 3rd party debs?

There are several 3rd party debs (nero, cedega, barry) I want to
install. However from a security pov it doesn't seem wise to just
blindly install a deb. They can overwrite existing (core) system files
and possibly cause other harm. So here are some solutions I've come up
with.

1 Check the contents of the deb with deb-view prior to installing
2 And/or install the 3rd party deb in a Debian chroot

I wonder, are there more solutions? (I would love to be able to install
a deb as a local user). What about my solutions? Will they work? What is
the best way to manage 3rd party debs? Thanks in advance!


--
Regards,


Aniruddha



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 08-12-2008, 04:52 PM
"Steve C. Lamb"
 
Default What is the best way to manage 3rd party debs?

On Tue, Aug 12, 2008 at 06:46:51PM +0200, Aniruddha wrote:
> They can overwrite existing (core) system files and possibly cause other
> harm.

No, they can't. Not without your expressed consent...

{grey@igbuntu:~} dpkg --force-help
dpkg forcing options - control behaviour when problems found:
warn but continue: --force-<thing>,<thing>,...
stop with error: --refuse-<thing>,<thing>,... | --no-force-<thing>,...
Forcing things:
all [!] Set all force options
downgrade[*] Replace a package with a lower version
configure-any Configure any package which may help this one
hold Process incidental packages even when on hold
bad-path PATH is missing important programs, problems likely
not-root Try to (de)install things even when not root
overwrite Overwrite a file from one package with another
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^

...if they could there would be no reason for dpkg to have
--force-overwrite.

--
Steve C. Lamb | I'm your priest, I'm your shrink, I'm your
PGP Key: 1FC01004 | main connection to the switchboard of souls.
-------------------------------+---------------------------------------------
 
Old 08-12-2008, 05:28 PM
Aniruddha
 
Default What is the best way to manage 3rd party debs?

On Tue, 2008-08-12 at 12:52 -0400, Steve C. Lamb wrote:
> On Tue, Aug 12, 2008 at 06:46:51PM +0200, Aniruddha wrote:
> > They can overwrite existing (core) system files and possibly cause other
> > harm.
>
> No, they can't. Not without your expressed consent...
>
> {grey@igbuntu:~} dpkg --force-help
> dpkg forcing options - control behaviour when problems found:
> warn but continue: --force-<thing>,<thing>,...
> stop with error: --refuse-<thing>,<thing>,... | --no-force-<thing>,...
> Forcing things:
> all [!] Set all force options
> downgrade[*] Replace a package with a lower version
> configure-any Configure any package which may help this one
> hold Process incidental packages even when on hold
> bad-path PATH is missing important programs, problems likely
> not-root Try to (de)install things even when not root
> overwrite Overwrite a file from one package with another
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^
>
> ...if they could there would be no reason for dpkg to have
> --force-overwrite.
>

Well, that's another discussion altogether. To give you an idea why I am
asking this here's an excerpt from "Debian system concepts and
techniques" from Martin Krafft:


> checkinstall is limited in what it can do. To be precise, the packages it creates
> can only install files, and checkinstall does not care where it installs them. You
> can overwrite files in home directories with checkinstall, among other things. The
> generated packages cannot modify files. If the installation routine modifies existing
> files, they will be part of the generated package in their entirety. A horror scenario
> occurs when an installation routine adds a user by modification of /etc/passwd,
> which is subsequently included in the package. Installation of the package causes
> /etc/passwd to be completely replaced, and the deinstallation of the package re-
> moves the file, breaking the system in half.

Therefor I can imagine that debs not created by Debian devs can contain possible disastrous changes.


--
Regards,


Aniruddha



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 08-12-2008, 06:41 PM
Hubert Chathi
 
Default What is the best way to manage 3rd party debs?

On Tue, 12 Aug 2008 12:52:07 -0400, "Steve C. Lamb" <grey@dmiyu.org> said:

> On Tue, Aug 12, 2008 at 06:46:51PM +0200, Aniruddha wrote:
>> They can overwrite existing (core) system files and possibly cause
>> other harm.

> No, they can't. Not without your expressed consent...
[...]

They can't, if they just use the normal Debian archive contents.
However, packages can do all sorts of things via installation scripts.

Then again, the package could hide all sorts of things. (Think:
trojaned binary.) If you don't trust your package source, you shouldn't
install their packages.

--
Hubert Chathi <uhoreg@debian.org> -- Jabber: hubert@uhoreg.ca
PGP/GnuPG key: 1024D/124B61FA http://www.uhoreg.ca/
Fingerprint: 96C5 012F 5F74 A5F7 1FF7 5291 AF29 C719 124B 61FA


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 08-12-2008, 07:49 PM
"Eugene V. Lyubimkin"
 
Default What is the best way to manage 3rd party debs?

Aniruddha wrote:
> On Tue, 2008-08-12 at 14:41 -0400, Hubert Chathi wrote:
>>> No, they can't. Not without your expressed consent...
>> [...]
>>
>> They can't, if they just use the normal Debian archive contents.
>> However, packages can do all sorts of things via installation scripts.
>>
>> Then again, the package could hide all sorts of things. (Think:
>> trojaned binary.) If you don't trust your package source, you shouldn't
>> install their packages.
>
> I'm not worried about a malicious packages. I am more concerned that a
> 3rd party deb damages the system by mistake.
>
> By default I install all 3rd party binary and source packages in a
> ~/programs folder. That way I don't have to worry about fubaring my
> system.
>
> I like to do something like that for deb packages too. Who knows a good
> solution?
>
>
If 3rd party deb doesn't contain 'Replaces' field, dpkg will refuse any try to break any
file owned by existing packages.

--
Eugene V. Lyubimkin aka JackYF, Ukrainian C++ developer.
 
Old 08-12-2008, 07:51 PM
Aniruddha
 
Default What is the best way to manage 3rd party debs?

On Tue, 2008-08-12 at 14:41 -0400, Hubert Chathi wrote:
> > No, they can't. Not without your expressed consent...
> [...]
>
> They can't, if they just use the normal Debian archive contents.
> However, packages can do all sorts of things via installation scripts.
>
> Then again, the package could hide all sorts of things. (Think:
> trojaned binary.) If you don't trust your package source, you shouldn't
> install their packages.

I'm not worried about a malicious packages. I am more concerned that a
3rd party deb damages the system by mistake.

By default I install all 3rd party binary and source packages in a
~/programs folder. That way I don't have to worry about fubaring my
system.

I like to do something like that for deb packages too. Who knows a good
solution?


--
Regards,


Aniruddha



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 08-12-2008, 08:42 PM
Aniruddha
 
Default What is the best way to manage 3rd party debs?

On Tue, 2008-08-12 at 22:49 +0300, Eugene V. Lyubimkin wrote:
> If 3rd party deb doesn't contain 'Replaces' field, dpkg will refuse any try to break any
> file owned by existing packages.
>

That sounds good, but what about a deb created by checkinstall?
According to Martin Krafft this can still seriously wreck your system?!



--
Regards,


Aniruddha



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 08-12-2008, 08:49 PM
"Eugene V. Lyubimkin"
 
Default What is the best way to manage 3rd party debs?

Aniruddha wrote:
> On Tue, 2008-08-12 at 22:49 +0300, Eugene V. Lyubimkin wrote:
>> If 3rd party deb doesn't contain 'Replaces' field, dpkg will refuse any try to break any
>> file owned by existing packages.
>>
>
> That sounds good, but what about a deb created by checkinstall?
> According to Martin Krafft this can still seriously wreck your system?!
Yes, it can. You can, however, try to use checkinstall in chroot.

--
Eugene V. Lyubimkin aka JackYF, Ukrainian C++ developer.
 
Old 08-12-2008, 09:04 PM
martin f krafft
 
Default What is the best way to manage 3rd party debs?

also sprach Aniruddha <mailing_list@orange.nl> [2008.08.12.1742 -0300]:
> On Tue, 2008-08-12 at 22:49 +0300, Eugene V. Lyubimkin wrote:
> > If 3rd party deb doesn't contain 'Replaces' field, dpkg will
> > refuse any try to break any file owned by existing packages.
>
> That sounds good, but what about a deb created by checkinstall?
> According to Martin Krafft this can still seriously wreck your
> system?!

If a checkinstall created package somehow modifies a file (like
/etc/passwd) during the installation, then that file will be removed
when the package is deinstalled. I think that was the only real
problem with checkinstall.

--
.'`. martin f. krafft <madduck@debian.org>
: :' : proud Debian developer, author, administrator, and user
`. `'` http://people.debian.org/~madduck - http://debiansystem.info
`- Debian - when you have better things to do than fixing systems

"nicht durch zorn, sondern durch lachen tötet man."
- friedrich nietzsche
 
Old 08-12-2008, 10:31 PM
Aniruddha
 
Default What is the best way to manage 3rd party debs?

On Tue, 2008-08-12 at 18:04 -0300, martin f krafft wrote:
> If a checkinstall created package somehow modifies a file (like
> /etc/passwd) during the installation, then that file will be removed
> when the package is deinstalled. I think that was the only real
> problem with checkinstall.
>

If you don't mind I quote from your own book ^^

> > checkinstall is limited in what it can do. To be precise, the
> packages it creates can only install files, and checkinstall does not
> care where it installs them. You can overwrite files in home
> directories with checkinstall, among other things.

I wonder what you recommend as the best way to install 3rd party debs
(such as cedega, nero, barry)? What is a safe way to install them
without risk of b0rking my system) ?

If it was up to me I'd install them as a local user in my home folder
just as I do with source packages and other binaries. But afaik this
isn't possible.

Or are there things I should pay attention to when inspecting a deb
file? Are there telltale signs a deb file can cause trouble? Thanks in
advance.





--
Regards,


Aniruddha


P.S. (OT)
What happened to your site? ( http://debiansystem.info/ )



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 

Thread Tools




All times are GMT. The time now is 07:38 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org