@morph how's "apt install ./arbitraryPackageFromTheInterwebs.deb" better?

@aaron you can inspect it before you install it so you know what's inside.

@morph given that XYZ is a bash script – then what's the difference? You can absolutely inspect that too?

@aaron if you download it first, yes. The example in the screenshot downloads it and pipes it into a shell all in one step.

@morph to derail just a bit more: but let's face the reality here: do we really want to pretend that all of us always inspect every arbitrary *.deb-thing from the internet before we install it? Only installing *.debs instead of shellscripts gives us a false sense of security. "curl XYZ | sh" is not necessaryly worse than "apt install ./whatever.deb". If we trust the source, then the former might be as good as the latter. I'm not arguing that the author in the screenshot is wrong btw. He's right.

@aaron (ugh, replied to the wrong thread and deleted my toot, sorry)
I agree, if a random website said "download this .deb package and install it" that would be equally bad. I personally wouldn't do either of these.

@morph @aaron
No, it's not equally bad.

1. The downloaded .deb package will be on disc and thus has at least some likelihood to get analyzed by forensic tools afterward. The shell script is just in RAM.

2. It's easier to inspect an .deb package because it has a clear separate file structure and usually none or tiny post-install scripts.

@morph @aaron I only download and install random .rpm's so I'm fine.

Sign in to participate in the conversation

chaos.social – a Fediverse instance for & by the Chaos community