How can we validate packages outside our distro's repos
 

Hi

I always install packages from the pclinuxos repos. I am reluctant to go outside the repos. But, if I ever do, how can I we trust the validity of a package? Are these ideals below good enough?

Download from a reputable site or the projects homepage


** Download packages that are signed i.e gpg key, md5, or any sha hash like sha1, sha256. sha512, etc

** I read that these can be manipulated

Are there any other ways to validate besides the above?

I have concerns because awhile back I read about Sourceforge having some bad packages in their database.

I don't download anything from sourceforge.
I just get stuff from my OSs own repos. There is no need to go to sourceforge.

If there is a need to download outside our repos then we have to accept we're taking a risk.
Interestingly, from someone’s recommendation here I downloaded bootinfoscript from sourceforge to fix a problem with grub.
Unfortunately, the program didn't really help and I used a live-usb to sort out the problem myself.
Anyways, my old hard drive has suddenly stopped working so now I need to buy a new hard drive! :)

Really? A sha256sum can be compromised? I didn't know that. I always use this when downloading a .iso file to install a linux OS!

If the files are signed with a gpg key, that's very difficult to fake, if even possible. I'm not aware that anyone has done it successfully.

Life is inherently risky. There is only one big risk you should avoid at all costs, and that is the risk of doing nothing. Denis Waitley

I presume you mean this sort of thing:
http://blog.tedd.no/2014/11/25/sourceforge-malware/
The problems all seem to have been with Windows programs, not Linux ones.

As for getting software from outside your distro's repository, I have about 20 (CentOS is pretty small) from 7 different sources. Sometimes the process got rather complicated. Sometimes it would have been quicker to compile from source, if this computer were not 11 years old. Sometimes I've got things which don't actually work. But I've never had anything malicious (says he, touching wood).

The key word here being SOME. Then it seems that one is applying the old addage, "one bad apple spoils the whole bunch", ideology. Is a misunderstading of how Sourceforge or others like them keep all of the source code for each application seperated. Therefore, this is a gross misunderstanding of the truth of the situation. Therefore, leads to misjudgements.

causes and effects

The problem was (or is, I haven't kept up lately) that Sourceforge was adding crap to the projects without the knowledge or consent of the developers. I've long since abandoned Sourceforge, and so have droves of developers. Github is where it's at now.

I don't install programs myself ~
well enough to actually worry about it ...
no that's a lie
I don't actually worry about it much, if at all, because format and start over with me is always an option.