How can we validate packages outside our distro's repos
Hi
I always install packages from the pclinuxos repos. I am reluctant to go outside the repos. But, if I ever do, how can I we trust the validity of a package? Are these ideals below good enough? Download from a reputable site or the projects homepage ** Download packages that are signed i.e gpg key, md5, or any sha hash like sha1, sha256. sha512, etc ** I read that these can be manipulated Are there any other ways to validate besides the above? I have concerns because awhile back I read about Sourceforge having some bad packages in their database. |
Quote:
I just get stuff from my OSs own repos. There is no need to go to sourceforge. If there is a need to download outside our repos then we have to accept we're taking a risk. Interestingly, from someone’s recommendation here I downloaded bootinfoscript from sourceforge to fix a problem with grub. Unfortunately, the program didn't really help and I used a live-usb to sort out the problem myself. Anyways, my old hard drive has suddenly stopped working so now I need to buy a new hard drive! :) Quote:
|
If the files are signed with a gpg key, that's very difficult to fake, if even possible. I'm not aware that anyone has done it successfully.
|
Quote:
|
Quote:
http://blog.tedd.no/2014/11/25/sourceforge-malware/ The problems all seem to have been with Windows programs, not Linux ones. As for getting software from outside your distro's repository, I have about 20 (CentOS is pretty small) from 7 different sources. Sometimes the process got rather complicated. Sometimes it would have been quicker to compile from source, if this computer were not 11 years old. Sometimes I've got things which don't actually work. But I've never had anything malicious (says he, touching wood). |
Quote:
causes and effects |
The problem was (or is, I haven't kept up lately) that Sourceforge was adding crap to the projects without the knowledge or consent of the developers. I've long since abandoned Sourceforge, and so have droves of developers. Github is where it's at now.
|
I don't install programs myself ~
well enough to actually worry about it ... no that's a lie I don't actually worry about it much, if at all, because format and start over with me is always an option. |
All times are GMT -5. The time now is 04:04 PM. |