yusina 7 days ago

> Running "sudo dpkg -i somepackage.deb" is literally just as dangerous.

And it's just as bad an idea if it comes from some random untrusted place on the internet.

As you say, it's about trust and risk management. A distro repo is less likely to be compromised. It's not impossible, but more work is required to get me to run your malicious code via that attack vector.

1
serbuvlad 7 days ago

Sure.

But

    curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
is less likey to get hijacked and scp all my files to $REMOTE_SERVER than a Deb file from the releases page of a random 10-star github repository. Or even from a random low-use PPA.

But I've just never heard anyway complain about "noobs" installing deb packages. Ever.

Maybe I just missed it.

1 reply
blibble 7 days ago

> But I've just never heard anyway complain about "noobs" installing deb packages. Ever.

it is literally in the debian documentation: https://wiki.debian.org/DontBreakDebian

> One of the primary advantages of Debian is its central repository with many thousands of software packages. If you're coming to Debian from another operating system, you might be used to installing software that you find on random websites. On Debian installing software from random websites is a bad habit. It's always better to use software from the official Debian repositories if at all possible. The packages in the Debian repositories are known to work well and install properly. Only using software from the Debian repositories is also much safer than installing from random websites which could bundle malware and other security risks.