Permanently Deleted

  • suprjami@lemmy.sdf.org
    ·
    1 year ago

    aiui apt will compare downloads from repositories against the repository signing key, whereas downloading a deb and installing it manually with dpkg bypasses that.

    So theoretically the Debian website could get compromised and provide you a malicious deb package. That has happened to other Linux distros before so it's not entirely unrealistic.

    Practically I think that's very unlikely.

    I know apt has the --download option if you'd like to fetch deb packages on the commandline, though I'm not sure if apt compares the package with the key during this process. I hope it does. You could probably run apt in verbose mode and hopefully see this happen.

    Some references:

    • https://askubuntu.com/questions/131397/what-is-a-repository-key-under-ubuntu-and-how-do-they-work
    • https://wiki.debian.org/SecureApt