aiui apt will compare downloads from repositories against the repository signing key, whereas downloading a deb and installing it manually with dpkg bypasses that.
So theoretically the Debian website could get compromised and provide you a malicious deb package. That has happened to other Linux distros before so it's not entirely unrealistic.
Practically I think that's very unlikely.
I know apt has the --download option if you'd like to fetch deb packages on the commandline, though I'm not sure if apt compares the package with the key during this process. I hope it does. You could probably run apt in verbose mode and hopefully see this happen.
aiui apt will compare downloads from repositories against the repository signing key, whereas downloading a deb and installing it manually with dpkg bypasses that.
So theoretically the Debian website could get compromised and provide you a malicious deb package. That has happened to other Linux distros before so it's not entirely unrealistic.
Practically I think that's very unlikely.
I know apt has the
--downloadoption if you'd like to fetch deb packages on the commandline, though I'm not sure if apt compares the package with the key during this process. I hope it does. You could probably run apt in verbose mode and hopefully see this happen.Some references:
deleted by creator