Is it safe to manually download a package from this site and then install the .deb file using apt? Is there anything more secure about using apt to download the package?
Is it safe to manually download a package from this site and then install the .deb file using apt? Is there anything more secure about using apt to download the package?
aiui apt will compare downloads from repositories against the repository signing key, whereas downloading a deb and installing it manually with dpkg bypasses that.
So theoretically the Debian website could get compromised and provide you a malicious deb package. That has happened to other Linux distros before so it’s not entirely unrealistic.
Practically I think that’s very unlikely.
I know apt has the
--download
option if you’d like to fetch deb packages on the commandline, though I’m not sure if apt compares the package with the key during this process. I hope it does. You could probably run apt in verbose mode and hopefully see this happen.Some references:
Thank you for the links. I am curious about how this stuff works
So adding the debian repo is preferred.
But read my other comment, you shouldnt mix repos of similar systems!