FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Kubuntu User

 
 
LinkBack Thread Tools
 
Old 04-12-2008, 06:48 PM
Nigel Ridley
 
Default Downloaded .deb safe?

How does one make sure that a downloaded .deb is safe? I mean, how does one make sure that
there are no malicious payloads etc.?
The file in question is the winff-0.41-i386.deb downloaded from:
http://www.winff.org/

It looks like a very useful app (for my daughter's 'chipod' (Chinese MP4)) but I want to
make sure it is safe before installing it.

Blessings,

Nigel

--
OliveRoot Ministries
http://www.oliveroot.net/

PrayingForIsrael.net
http://www.prayingforisrael.net/



--
kubuntu-users mailing list
kubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/kubuntu-users
 
Old 04-12-2008, 08:39 PM
Stanislas Breton
 
Default Downloaded .deb safe?

Nigel Ridley wrote:
> How does one make sure that a downloaded .deb is safe? I mean, how does one make sure that
> there are no malicious payloads etc.?
> The file in question is the winff-0.41-i386.deb downloaded from:
> http://www.winff.org/
>
> It looks like a very useful app (for my daughter's 'chipod' (Chinese MP4)) but I want to
> make sure it is safe before installing it.
>
> Blessings,
>
> Nigel

If security's a paramount concern, follow long-standing Unix security
practice and inspect the source code. If you're unable to inspect the
source code, or don't consider yourself technically competent to inspect
the source code for possible malware content, then don't install it.




--
kubuntu-users mailing list
kubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/kubuntu-users
 
Old 04-12-2008, 08:54 PM
Donn
 
Default Downloaded .deb safe?

> practice and inspect the source code. If you're unable to inspect the
> source code, or don't consider yourself technically competent to inspect
> the source code for possible malware content, then don't install it.

But the deb is a compiled file and may have been made malicious by changing
the code before producing the deb. It's a real conundrum that can only be
solved by trust and that means using trusted repos or compiling the source
manually.

d

--
kubuntu-users mailing list
kubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/kubuntu-users
 
Old 04-12-2008, 09:07 PM
Stanislas Breton
 
Default Downloaded .deb safe?

Donn wrote:
>> practice and inspect the source code. If you're unable to inspect the
>> source code, or don't consider yourself technically competent to inspect
>> the source code for possible malware content, then don't install it.
>>
>
> But the deb is a compiled file and may have been made malicious by changing
> the code before producing the deb. It's a real conundrum that can only be
> solved by trust and that means using trusted repos or compiling the source
> manually.
>
> d

Well, quite. The only relatively sure means of installing a safe package
is to either inspect and compile the source code yourself, or have it
audited for vulnerabilities by someone with a hell of a lot to lose

Where this leaves Ubuntu's support for "Restricted Drivers" or the
contents of Canonical's commercial repository is an interesting question!




--
kubuntu-users mailing list
kubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/kubuntu-users
 
Old 04-12-2008, 10:00 PM
Michael Leone
 
Default Downloaded .deb safe?

Stanislas Breton wrote:

> If security's a paramount concern, follow long-standing Unix security
> practice and inspect the source code. If you're unable to inspect the
> source code, or don't consider yourself technically competent to inspect
> the source code for possible malware content, then don't install it.

If he didn't feel competent to examine the source code, he'd never run
*ANY* OS. This includes Linux. Even if the source code is available (and
it i), I'm certainly not a competent programmer to examine everything
from the kernel on upwards,to things like Fireforx and OpenOffice. Since
I'm not technically competent to inspect the source code for possible
malware, then I wouldn't run Linux.

By the practices you advocate above, I take it then that you've examined
all the source code of every application that you have installed? :-)

(I'm only teasing, but doing so to point out that the above is probably
not a practical answer ...)






--
kubuntu-users mailing list
kubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/kubuntu-users
 
Old 04-12-2008, 11:50 PM
Stanislas Breton
 
Default Downloaded .deb safe?

Michael Leone wrote:
> Stanislas Breton wrote:
>
>
>> If security's a paramount concern, follow long-standing Unix security
>> practice and inspect the source code. If you're unable to inspect the
>> source code, or don't consider yourself technically competent to inspect
>> the source code for possible malware content, then don't install it.
>>
>
> If he didn't feel competent to examine the source code, he'd never run
> *ANY* OS. This includes Linux. Even if the source code is available (and
> it i), I'm certainly not a competent programmer to examine everything
> from the kernel on upwards,to things like Fireforx and OpenOffice. Since
> I'm not technically competent to inspect the source code for possible
> malware, then I wouldn't run Linux.
>
> By the practices you advocate above, I take it then that you've examined
> all the source code of every application that you have installed? :-)
>
> (I'm only teasing, but doing so to point out that the above is probably
> not a practical answer ...)

But if you elect to adopt Linux, you also adopt its security culture, an
important element of which is that responsibility for security always
ultimately lies with the end user.

If to that end it proves necessary to defer judgment on technical
matters, then it should at least be to someone who either possesses the
specialized skills involved in security auditing, or to a downstream
developer who unfailingly defers to someone who does.

Of course, it follows from this that you should never trust distros that
countenance the inclusion of applications/kernel modules for which the
source code isn't open to general inspection...




--
kubuntu-users mailing list
kubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/kubuntu-users
 
Old 04-13-2008, 11:29 AM
Martin Laberge
 
Default Downloaded .deb safe?

On Saturday 12 April 2008 14:48:31 Nigel Ridley wrote:
> How does one make sure that a downloaded .deb is safe? I mean, how does one make sure that
> there are no malicious payloads etc.?
> The file in question is the winff-0.41-i386.deb downloaded from:
> http://www.winff.org/
>
> It looks like a very useful app (for my daughter's 'chipod' (Chinese MP4)) but I want to
> make sure it is safe before installing it.
>
> Blessings,
>
> Nigel
>
> --
> OliveRoot Ministries
> http://www.oliveroot.net/
>
> PrayingForIsrael.net
> http://www.prayingforisrael.net/
>
>
>

Unless you read all the source, understand it, and compile
it yourself, with a compiler that you trust (compiled by you)
it is absolutely impossible to be sure of the program
you install.

BUT, no-one is able to read all the source code of all the
parts of all the programs who compose a system.

You are left with the possibility to trust someone, and do not
trust others.

At least in linux you have this possibility, to random check a
couple of programs, if you wish. With other systems (Win, Mac,...)
you do not have that possibility, and you are left with
trust, (or distrust).

The only non infectable system I know (I am at it for 30+ years)
is the system who is unplugged from the wall.

Even a pen and paper accounting system can be infected, (with other means
like the hand of your accounting person)

Like many already told, System Security is a Process, not a Goal.

A little bit of trust in trusted source, and a little bit of doubt...
Keep rolling......


--
Martin Laberge
mlsoft@videotron.ca
Tel418)521-6823

--
kubuntu-users mailing list
kubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/kubuntu-users
 
Old 04-13-2008, 01:17 PM
"Myriam Schweingruber"
 
Default Downloaded .deb safe?

On 13/04/2008, Martin Laberge <mlsoft@videotron.ca> wrote:
> On Saturday 12 April 2008 14:48:31 Nigel Ridley wrote:
> > How does one make sure that a downloaded .deb is safe? I mean, how does one make sure that
> > there are no malicious payloads etc.?
> > The file in question is the winff-0.41-i386.deb downloaded from:
> > http://www.winff.org/
> >
> > It looks like a very useful app (for my daughter's 'chipod' (Chinese MP4)) but I want to
> > make sure it is safe before installing it.

Well, one should at least point out that if you use the official
sources of a distribution, the packages usually are signed, which adds
a level of trust. This simply means that the package has indeed been
uploaded to the archive by an "official". As the signature is a
GPG-Key, it's most unlikely that this file has been corrupted by any
other person than the signer.

All packages in the official Ubuntu and Debian archives are signed, so
it really is not necessary to worry too much for these

Now, anything coming from the outside is indeed far more risky...

Greets

Myriam
--
Protect your freedom, join the Fellowship of FSFE!
http://www.fsfe.org
Please don't send me proprietary file formats,
use ISO standard ODF instead (ISO/IEC 26300)

--
kubuntu-users mailing list
kubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/kubuntu-users
 
Old 04-13-2008, 04:12 PM
Michael Leone
 
Default Downloaded .deb safe?

Martin Laberge wrote:

> Unless you read all the source, understand it, and compile
> it yourself, with a compiler that you trust (compiled by you)
> it is absolutely impossible to be sure of the program
> you install.
>
> BUT, no-one is able to read all the source code of all the
> parts of all the programs who compose a system.
>
> You are left with the possibility to trust someone, and do not
> trust others.
>
> At least in linux you have this possibility, to random check a
> couple of programs, if you wish. With other systems (Win, Mac,...)
> you do not have that possibility, and you are left with
> trust, (or distrust).

Not exclusively; there are many open source programs for the Win
platform, as well. OpenOffice, GiMP, all the GNU utilities are available
for Windows (I know, I use them in my scripts, sometimes). So it's not
*impossible*, but it is vastly harder.



--
kubuntu-users mailing list
kubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/kubuntu-users
 
Old 04-14-2008, 06:06 AM
"Willy Hamra"
 
Default Downloaded .deb safe?

i find it impractical to read the source code of every program we get,
i mean, let's just say i want openoffice, that is basically tons of
source code to read!
as mentioned earlier, signed packages from official repos can always
be trusted, if the package comes from third party, you can check
forums, surely there is a group of people who like the program and are
discussing it somewhere. if the program is getting some good
testimonies, then it has probably been tested by some people. Usually
instinct is a good thing in these decisions :P

On 4/13/08, Michael Leone <turgon@mike-leone.com> wrote:
> Martin Laberge wrote:
>
> > Unless you read all the source, understand it, and compile
> > it yourself, with a compiler that you trust (compiled by you)
> > it is absolutely impossible to be sure of the program
> > you install.
> >
> > BUT, no-one is able to read all the source code of all the
> > parts of all the programs who compose a system.
> >
> > You are left with the possibility to trust someone, and do not
> > trust others.
> >
> > At least in linux you have this possibility, to random check a
> > couple of programs, if you wish. With other systems (Win, Mac,...)
> > you do not have that possibility, and you are left with
> > trust, (or distrust).
>
> Not exclusively; there are many open source programs for the Win
> platform, as well. OpenOffice, GiMP, all the GNU utilities are available
> for Windows (I know, I use them in my scripts, sometimes). So it's not
> *impossible*, but it is vastly harder.
>
>
>
> --
> kubuntu-users mailing list
> kubuntu-users@lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/kubuntu-users
>

--
kubuntu-users mailing list
kubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/kubuntu-users
 

Thread Tools




All times are GMT. The time now is 09:55 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org