Hi....

Not necessarily, in my opinion. I've even had Ubuntu warn me about this (I forgot the exact message,) when I've installed software from places like this. I've done it to get the software I needed or wanted but I don't believe it's 100% safe.

Regards...

Short answer, no.

A deb file can contain anything, and even though you can inspect a deb package to see what it wishes to install, most packages include compiled binaries and there's no way to tell what those do.

Theoretically, it's not even safe to compile things yourself, unless you've read and understood the source code (and the source of your compiler, libraries etc.)...so obviously you have to place a "line of trust" somewhere if you wish to use your computer.

Malicious deb files are relatively rare, though, so common sense goes a long a way..."moneydoubler3000.deb" from a dubious website should ring the alarm bells.

Obviously the safest method is not installing any 3rd party debs if you can help it...but just sticking to the official repos isn't 100% safe either (nothing really is 100% safe).

Well I did some reading about deb packages and excuse me in advance for oversimplifying this but as I understood it, a deb file contains a data archive of the essential files needed to build a package.
The other files included in the deb are generated as a result of building the deb package itself if I remember correctly.

So my question is, why can't we build deb packages from inside Launchpad or some similar safe environment, putting together all the various bit's n pieces needed just like a recipe, and then idealy hit a button labelled "Make deb Now?"

Is this any way feasable or have I got the whole concept wrong?

Building deb packages from source isn't that hard and there are tools that help creating them (for example, software that is available on the ubuntu repos can be built into a deb package with 'apt-get source --compile <package>' if the source repos are enabled)...that's what the ubuntu build-servers do 24/7, compile uploaded source packages into deb packages.

Building your own debs from the ubuntu repos doesn't mean much security wise, though. If you're willing to trust the source code in the ubuntu repos (as most people are) you can reasonably trust the debs built as well (even if you don't build them yourselves).

The situation is possibly that of "chain of evidence".

There are many "bleeding edge" distros, #! comes to mind, that have VERY experienced people in them who make .deb packages as easily as I make a cup of instant coffee. And if one spends time at the fora one sees that the people have "known each other" for a long time and trust the debs that the various people make.

If one trusts the original file and the intermediate builds in the chain then one can trust the final product.

There used to be a Linux from down in South America where the few folks involved with it ONLY provided the very basic bare bones of the distro. In other words you got the basic frame, the menu system, you got wireless, only the very necessities and EVERYBODY was to build at least one .deb and contribute it to the repo and then you could be a permanent person on the forum.

The fundamental idea was "basically" sound but it just never really took off and, one of the main reasons that I think that happened was that "Linux" moved away from the model of "one need, one application". We now have very complex apps, and not just Libre Office. It used to be one used XMMS and it still is a great player, but most folks want something like Songbird or Amarok which provide a smorgasboard of options. I've even forgotten the name.

woodsmoke

Not necessarily, deb files are the packages. They are what apt-get downloads from the repos and what dpkg extracts and puts the contents in the system. You can install a deb using "sudo dpkg -i filename.deb" but that assumes you trust that package, if not then don't install it.

What makes the environment safe? If anyone can create a package on launchpad that way then any package on launchpad is just as trusted as any package anywhere on the net. What makes the repos so safe is that only trusted users can place the debs in them and they get checked by others that are also trusted.

ppa's are extra repos that untrusted users can create so that you can can receive updates to packages that aren't in the official repos or that exists in older versions. They are only to be trusted as much as you trust the ppa creator and this also goes for separate deb files that exist on the net.

You can build debs your self, that way you are only relying on trusting the original author of the software (and any patches you want to use), which is generally safer if you can read the source code (someone else probably has already if its popular enough).

Personally I quite like the way archlinux handles the problem, you have the core repos that are created by trusted users, you can add custom repos if you really want to or install packages found on the internet (but both of these methods aren't used often) and they have a repo of source packages (the AUR) which users can download, check the contents and build the package them selves if they trust it (which is the preferred way arch users do things)

I would only trust them if they where built by someone I trusted... otherwise how knows what the user could have added to the package before sending it to you?

Maybe I wasn't clear enough ...I meant if you trust the source in the repos, you can reasonably trust the debs in the repos, not any random deb you get in a mail or on the internet.

http://askubuntu.com/questions/52858...e-from-malware

Yes...I'm seriously clumsy at editing...I blame the forum software, obviously:
The debs are generally built automatically on the build servers, not by specific users...of course only people with upload rights (to debian or ubuntu) can upload the source packages from which the debs are built.

Yes just though it should be made clear.

There is a vetting process before one can post to launchpad, and packages posted there have to be signed. If you (or the community) trusts the developer and his signature verifies, then you can be sure he wrote that package.

Also, packages like chkrootkit and rkhunter, if installed, run in cron and keep track of changes. If changes occur they can send you an email notifying you of changes. IF you expected file X to be changed by installing app Y but you notice file Z was also changed, but wasn't part of the "installed files" list, then you should check it out.

Thank you everyone for your replies

I was more asking why there didn't seem to be a way to build debs within a safe environment rather than download debs from the net and just having to trust they are clean.

As to the safest environment this explains it well,

And where I suggested building debs inside of that environment to try and ensure 'clean' builds, I have to do that locally, with Launchpad as the source of the files...

But what about building debs from source code where Launchpad might not necessarily offer 'xyz package'. Do all of these 'bit's n pieces' exist in Launchpad? For example, I use smaragd, but it's not in the official repos for 12.04. Can i build a smaragd deb as it stands?

The only other point I see is this.
If I create a deb using the above means and method and wish to share it, the debs 'verification as a clean build' seems lost and the recipient is suddenly in a 'trust' situation.

This seems a waste to me.

But thank you all for your knowledge and thoughts.

Another element that should enter your calculation is an estimate of the likelihood of acquiring malware. The official repos, both the binaries and the sources, are highly unlikely to be distributors of malware, so my estimation of infection from those locations is practically zero. Individual PPAs on Launchpad are by definition not as trustworthy, but because PPAs publish source code plus binaries, you can always check the source code yourself. However, the number of people who really know how to spot vulnerabilities or malware in source code is actually quite smaller than typically imagined. Although the "many eyes" argument is something of a red herring, the simple availability of one's source code means that some people will take a gander, and if one routinely writes crappy code that's riddled with rookie security holes, word will get out -- fast.

If the source for your favorite software isn't in Launchpad, perhaps you can find it elsewhere, like in a Git repository. Clone it, then compile. You'll be doing the same thing that everyone else who uses that software does. And again, if it's leaking your PII all over the place, someone else has probably already discovered that and notified the author.