Why? This is the question when installing an external DEB, but from the own repo makes no sense.

Or do you mean that package is just on a Debian repo, and you dont want to add the whole Repo to your e.g. Ubuntu system to mess things up?

You may just want to use Distrobox in that case, to really seperate things, as mixing distros, with ESR versions, backports and all that, especially when using two very similar but very differently paced distros, is just screaming for breakages.

So install distrobox, do distrobox create -i and press Tab (in bash) and you will have a list of all images, then do distrobox create Debian -i URL/TO/IMAGE. In there again do a regular apt install of that package.

You can use Distrobox for every distro supported, install a package thats just in an Ubuntu PPA, the AUR, available for RedHatEL/CentOS, only available for OpenSuse Leap etc. These situations occur, and its great to have these tools!

Also, doing distrobox export --app NAME inside the container will generate a GUI app entry to click on.

Yes it’s safe apt doing same when u installing something but doing it automatically.So u can just do

sudo apt-get install --download-only htop

It will store .deb in ur directory

aiui apt will compare downloads from repositories against the repository signing key, whereas downloading a deb and installing it manually with dpkg bypasses that.

So theoretically the Debian website could get compromised and provide you a malicious deb package. That has happened to other Linux distros before so it’s not entirely unrealistic.

Practically I think that’s very unlikely.

I know apt has the --download option if you’d like to fetch deb packages on the commandline, though I’m not sure if apt compares the package with the key during this process. I hope it does. You could probably run apt in verbose mode and hopefully see this happen.

Some references:

• https://askubuntu.com/questions/131397/what-is-a-repository-key-under-ubuntu-and-how-do-they-work
• https://wiki.debian.org/SecureApt