LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 02-24-2016, 03:29 PM   #1
DoeDoe
LQ Newbie
 
Registered: Feb 2016
Posts: 2

Rep: Reputation: Disabled
How can we validate packages outside our distro's repos


Hi

I always install packages from the pclinuxos repos. I am reluctant to go outside the repos. But, if I ever do, how can I we trust the validity of a package? Are these ideals below good enough?

Download from a reputable site or the projects homepage


** Download packages that are signed i.e gpg key, md5, or any sha hash like sha1, sha256. sha512, etc

** I read that these can be manipulated

Are there any other ways to validate besides the above?

I have concerns because awhile back I read about Sourceforge having some bad packages in their database.

Last edited by DoeDoe; 02-24-2016 at 03:58 PM.
 
Old 02-24-2016, 04:58 PM   #2
Higgsboson
Member
 
Registered: Dec 2014
Location: UK
Distribution: Debian 8 Cinnamon/Xfce/gnome classic Debian live usb
Posts: 508

Rep: Reputation: 49
Quote:
Originally Posted by DoeDoe View Post
I have concerns because awhile back I read about Sourceforge having some bad packages in their database.
I don't download anything from sourceforge.
I just get stuff from my OSs own repos. There is no need to go to sourceforge.

If there is a need to download outside our repos then we have to accept we're taking a risk.
Interestingly, from someone’s recommendation here I downloaded bootinfoscript from sourceforge to fix a problem with grub.
Unfortunately, the program didn't really help and I used a live-usb to sort out the problem myself.
Anyways, my old hard drive has suddenly stopped working so now I need to buy a new hard drive!

Quote:
** Download packages that are signed i.e gpg key, md5, or any sha hash like sha1, sha256. sha512, etc
** I read that these can be manipulated
Really? A sha256sum can be compromised? I didn't know that. I always use this when downloading a .iso file to install a linux OS!
 
Old 02-24-2016, 08:45 PM   #3
sgosnell
Senior Member
 
Registered: Jan 2008
Location: Baja Oklahoma
Distribution: Debian
Posts: 1,054

Rep: Reputation: 277Reputation: 277Reputation: 277
If the files are signed with a gpg key, that's very difficult to fake, if even possible. I'm not aware that anyone has done it successfully.
 
Old 02-25-2016, 07:33 AM   #4
BW-userx
Senior Member
 
Registered: Sep 2013
Location: MID-SOUTH USA
Distribution: Void Linux / Slackware 14.2
Posts: 4,140

Rep: Reputation: 743Reputation: 743Reputation: 743Reputation: 743Reputation: 743Reputation: 743Reputation: 743
Quote:
Originally Posted by Higgsboson View Post

I don't download anything from sourceforge.
I just get stuff from my OSs own repos. There is no need to go to sourceforge.

If there is a need to download outside our repos then we have to accept we're taking a risk.
Life is inherently risky. There is only one big risk you should avoid at all costs, and that is the risk of doing nothing. Denis Waitley
 
1 members found this post helpful.
Old 02-25-2016, 11:08 AM   #5
DavidMcCann
Senior Member
 
Registered: Jul 2006
Location: London
Distribution: CentOS, Salix
Posts: 4,437

Rep: Reputation: 1360Reputation: 1360Reputation: 1360Reputation: 1360Reputation: 1360Reputation: 1360Reputation: 1360Reputation: 1360Reputation: 1360Reputation: 1360
Quote:
Originally Posted by DoeDoe View Post
I have concerns because awhile back I read about Sourceforge having some bad packages in their database.
I presume you mean this sort of thing:
http://blog.tedd.no/2014/11/25/sourceforge-malware/
The problems all seem to have been with Windows programs, not Linux ones.

As for getting software from outside your distro's repository, I have about 20 (CentOS is pretty small) from 7 different sources. Sometimes the process got rather complicated. Sometimes it would have been quicker to compile from source, if this computer were not 11 years old. Sometimes I've got things which don't actually work. But I've never had anything malicious (says he, touching wood).
 
Old 02-25-2016, 11:30 AM   #6
BW-userx
Senior Member
 
Registered: Sep 2013
Location: MID-SOUTH USA
Distribution: Void Linux / Slackware 14.2
Posts: 4,140

Rep: Reputation: 743Reputation: 743Reputation: 743Reputation: 743Reputation: 743Reputation: 743Reputation: 743
Quote:
Originally Posted by DoeDoe View Post
I have concerns because awhile back I read about Sourceforge having some bad packages in their database.
The key word here being SOME. Then it seems that one is applying the old addage, "one bad apple spoils the whole bunch", ideology. Is a misunderstading of how Sourceforge or others like them keep all of the source code for each application seperated. Therefore, this is a gross misunderstanding of the truth of the situation. Therefore, leads to misjudgements.

causes and effects

Last edited by BW-userx; 02-25-2016 at 12:03 PM.
 
Old 02-25-2016, 02:05 PM   #7
sgosnell
Senior Member
 
Registered: Jan 2008
Location: Baja Oklahoma
Distribution: Debian
Posts: 1,054

Rep: Reputation: 277Reputation: 277Reputation: 277
The problem was (or is, I haven't kept up lately) that Sourceforge was adding crap to the projects without the knowledge or consent of the developers. I've long since abandoned Sourceforge, and so have droves of developers. Github is where it's at now.
 
Old 02-25-2016, 02:08 PM   #8
BW-userx
Senior Member
 
Registered: Sep 2013
Location: MID-SOUTH USA
Distribution: Void Linux / Slackware 14.2
Posts: 4,140

Rep: Reputation: 743Reputation: 743Reputation: 743Reputation: 743Reputation: 743Reputation: 743Reputation: 743
I don't install programs myself ~
well enough to actually worry about it ...
no that's a lie
I don't actually worry about it much, if at all, because format and start over with me is always an option.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] How to validate yum installed packages scryptkiddy Linux - General 9 02-18-2014 01:18 PM
How often do you install packages outside your distro's repos? $(( 10#$x )) Linux - General 21 12-06-2013 10:53 AM
can't find most Libreoffice packages in repos newbiesforever VectorLinux 3 09-22-2012 04:01 PM
Couldn't validate Packages! cccc Debian 6 02-24-2011 12:22 PM
Downloading packages + dependencies from repos MirceaKitsune Linux - Newbie 8 06-04-2009 07:40 AM


All times are GMT -5. The time now is 03:35 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration