LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Debian
User Name
Password
Debian This forum is for the discussion of Debian Linux.

Notices


Reply
  Search this Thread
Old 08-22-2012, 06:49 PM   #1
Ztcoracat
LQ Guru
 
Registered: Dec 2011
Distribution: Slackware, Manjaro
Posts: 8,846
Blog Entries: 14

Rep: Reputation: 1080Reputation: 1080Reputation: 1080Reputation: 1080Reputation: 1080Reputation: 1080Reputation: 1080Reputation: 1080
Repositories and ppa's



Hi:
I went to a repository one time and did not understand what I was looking at.
So; I went and did some reading. I learned that repositories are more trustworthy way to download software and that it's like a huge bank or vault-

Next I went to this site to find out and learn what a ppa was.
http:/www.makeuseof.com/tag/ubuntu-ppa-technology-explained/

Now I know it's a personal package archive. And that it is software not included by default and this is how one would find a way to provide updates for software (besides the update manager)I found this website on more info. to how to add a ppa in Debian.
http://blog.anantshri.info/howto-add-ppa-in-debian/
And I read the documentation about packages on the debian.org website.

I understand that I would use the terminal to
Code:
add-apt-repository <nameofpackage>
But what I am having trouble with is how do I obtain whatever package I want or need from a repository?

And once I am in a repository I in honesty don't understand what I'm looking at.
Kindly give some suggestions.

How do I know; or is there a way to tell that I am obtaining a ppa correctly and if it's secure?
 
Old 08-22-2012, 07:11 PM   #2
evo2
LQ Guru
 
Registered: Jan 2009
Location: Japan
Distribution: Mostly Debian and Scientific Linux
Posts: 5,753

Rep: Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290
Hi,

Quote:
Originally Posted by Ztcoracat View Post
:
But what I am having trouble with is how do I obtain whatever package I want or need from a repository?
once you have added the repository you can install packages from it using your package manager as usual.
Eg. as root
Code:
apt-get update
apt-get install somepackage
Evo2.
 
Old 08-22-2012, 07:17 PM   #3
evo2
LQ Guru
 
Registered: Jan 2009
Location: Japan
Distribution: Mostly Debian and Scientific Linux
Posts: 5,753

Rep: Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290
Hi,

just realised there are a couple of extra things I should have mentioned.
Quote:
Originally Posted by Ztcoracat View Post
I understand that I would use the terminal to
Code:
add-apt-repository <nameofpackage>
AFAIK that command is not in Debian. In Debian you should edit your /etc/apt/sources.list or add a file to /etc/apt/sources.list.d/

Also, note that it is generally a bad idea to have "mixed" system. Eg installing random Ubuntu packaged on Debian stable. If there is something specific you are looking for, you can always post here to ask for advice on the best way to go about installing it.

Cheers,

Evo2.
 
Old 08-22-2012, 09:42 PM   #4
widget
Senior Member
 
Registered: Oct 2008
Location: S.E. Montana
Distribution: Debian Testing, Stable, Sid and Manjaro, Mageia 3, LMDE
Posts: 2,628

Rep: Reputation: 496Reputation: 496Reputation: 496Reputation: 496Reputation: 496
Ubuntu changes the location of some of the files installed by their .deb packages from where they should be in a Debian system.

Adding things from them, or Debian packages to Ubuntu is a bad idea because of this.

Many, if not most, packages will probably work. Thing is that packages installed by default in Ubuntu are the most likely to be "different" than the Debian package.

These are many times the ones folks try to install on Debian and then wonder why they don't work (at best) or break their system (at worst).

Ass ppas are set up to supply packages that are usually in advance of what is in the Ubuntu repo, even their development version repo, the chances of having a problem with them, on a Debian stable system is even greater.

A little research will usually turn up the same package made for Debian. May be in the backports repo. May be a testing or Sid package.

I, personally, would not use packages in Debian stable that are not in the normal Debian stable repos.

If you are looking for cutting edge packages use Debian testing or Sid.
 
Old 08-22-2012, 10:22 PM   #5
evo2
LQ Guru
 
Registered: Jan 2009
Location: Japan
Distribution: Mostly Debian and Scientific Linux
Posts: 5,753

Rep: Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290
Hi,

while widget is correct that using testing or unstable will provide more uptodate packages, please note that users of testing and unstable should fully understand the implications and be prepared to deal with a "broken system". If it breaks, you get to keep the pieces.

As I said in my earlier post, if there is something specific that you want/need that Debian stable does not seem to provide, you can post here and ask for advice on the best approach to installing it.

Cheers,

Evo2.

Last edited by evo2; 08-22-2012 at 11:34 PM.
 
Old 08-22-2012, 11:24 PM   #6
Ztcoracat
LQ Guru
 
Registered: Dec 2011
Distribution: Slackware, Manjaro
Posts: 8,846
Blog Entries: 14

Original Poster
Rep: Reputation: 1080Reputation: 1080Reputation: 1080Reputation: 1080Reputation: 1080Reputation: 1080Reputation: 1080Reputation: 1080
Quote:
Originally Posted by evo2 View Post
Hi,

while widget is correct that using testing or unstable will provide more uptodate packages, please note that users of testing and unstable should fully understand the implications and be prepared to deal with a "broken system". If it breaks, you get to keep the pieces.

As I said in my earlier post, if there is something specific that you want/need that Debian stable does not seem to provide, you can post here and ask for advice on the best approach to installing it.

Cheers,

Nick.
I specifically want Bleachbit.
In fact the package is sitting on my desktop as we speak however; I have decided not to install it because I honestly don't know if it is secure. Below the package it says:
Code:
bleachbit_0.9.3-1_all_debian6.deb
I downloaded this package from sourceforge-
I'm struggling because I have only known my system for about 10 days and I am still learning and reading the Debian documentation.
Which by the way is somewhat overwhelming but very helpful.

Is it wise for me to install this bleachbit?
 
Old 08-22-2012, 11:33 PM   #7
evo2
LQ Guru
 
Registered: Jan 2009
Location: Japan
Distribution: Mostly Debian and Scientific Linux
Posts: 5,753

Rep: Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290
Hi,

Quote:
Originally Posted by Ztcoracat View Post
I specifically want Bleachbit.
In fact the package is sitting on my desktop as we speak however; I have decided not to install it because I honestly don't know if it is secure. Below the package it says:
Code:
bleachbit_0.9.3-1_all_debian6.deb
I downloaded this package from sourceforge-
bleachbit is already packaged by Debian. So you can install it from the Debian repos using the standard procedure, as root:
Code:
apt-get install bleachbit
Is there a reason you want to install that particular version that you downloaded from sourceforge?

Quote:
Is it wise for me to install this bleachbit?
One thing you have to understand when you install a package is that you are effectively giving whoever made it root control on you system. If you are suspicious, you can unpack it and have a look at it. If you would like to know how to do this post back and explain the procedure.

Evo2.
 
Old 08-23-2012, 12:00 AM   #8
Ztcoracat
LQ Guru
 
Registered: Dec 2011
Distribution: Slackware, Manjaro
Posts: 8,846
Blog Entries: 14

Original Poster
Rep: Reputation: 1080Reputation: 1080Reputation: 1080Reputation: 1080Reputation: 1080Reputation: 1080Reputation: 1080Reputation: 1080
Since giving whomever made the package control on my system I would feel better if I had control over packages and their content's-

I do not know how to unpack a package to be able to have a look at it.
How do I do this Evo?
 
Old 08-23-2012, 12:31 AM   #9
evo2
LQ Guru
 
Registered: Jan 2009
Location: Japan
Distribution: Mostly Debian and Scientific Linux
Posts: 5,753

Rep: Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290
Hi,

did you read what I wrote about bleachbit already being in Debian?
Quote:
Originally Posted by Ztcoracat View Post
Since giving whomever made the package control on my system I would feel better if I had control over packages and their content's-

I do not know how to unpack a package to be able to have a look at it.
How do I do this Evo?
Ok.

The first thing to understand that is that a Debian package is actually an "ar" arvhive, which can be unpacked with the ar command. So make yourself a directory to work in, and cd there:
Code:
% mkdir unpackbb
% cd unpackbb
Unpack the package (assuming it is in your home directory) and have a look at what it contains.
Code:
% ar x ~/bleachbit_0.9.3-1_all_debian6.deb
% ls
control.tar.gz  data.tar.gz  debian-binary
You see three files:
- debian-binary just contains the version number of the package format (IIRC)
- data.tar.gz has all the files that will be installed on your system
- control.tar.gz has packaging information and pre and post install and remove scripts (if any)

The install and remove scripts are probably the most important things to check since they are run as root when you install or remove the package. Lets have a look
Code:
% tar xzf control.tar.gz
% ls
control  control.tar.gz  data.tar.gz  debian-binary  md5sums
Ok so now we see two new files (that were in control.tar.gz)
- md5sums is a text file that lists all the files in the package and their md5sum
The md5sum is just a "signature" that can be checked to see if the files have been modified
- control this also a text fail and contains some information about the package: eg version, description, dependencies etc.

There appear to be no preinst, postinst, prerem or postrem scripts: so far this package looks pretty safe. If any of these scripts existed you should check them to make sure they would not do anything nasty (they are usually just shell scripts).

Ok, so next is the data.tar.gz that actually holds all the files that are to be installed.
Code:
% tar xzf data.tar.gz
% ls
control  control.tar.gz  data.tar.gz  debian-binary  md5sums  usr/
So we see the new directory "/usr". This means that all the files that this package would install would end up in under /user on you system. You can see them all by running
Code:
ls -R usr
I'm not posting it here becuase it is quite large. Basically there are some python libraries, some xml files, a bunch of localization files (for different spoken lagauges) and the python script executable usr/bin/bitbleach. Lets look at that
Code:
% ls -al usr/bin/bleachbit
-rwxr-xr-x 1 evo2 evo2 1369 Jul  5 12:50 usr/bin/bleachbit*
From this we can see that the suid bit is not set. If it was set, that would mean that if you run this script as yourself, it would actually be running with root permission which is a huge security hole. If it had have looked like the following I would be extremely suspicious
Code:
ls -l usr/bin/bleachbit
-rwsr-xr-x 1 evo2 evo2 1369 Jul  5 12:50 usr/bin/bleachbit*
The thing to note here is the "s" in the "-rwsr-xr-x".

So at this stage everything looks sane, and any potential damage this package could cause would be limited to the user that runs the installed program. Further auditing would require actually reading all the python code.

HTH,

Evo2.
 
Old 08-23-2012, 02:18 AM   #10
k3lt01
Senior Member
 
Registered: Feb 2011
Location: Australia
Distribution: Debian Wheezy, Jessie, Sid/Experimental, playing with LFS.
Posts: 2,900

Rep: Reputation: 636Reputation: 636Reputation: 636Reputation: 636Reputation: 636Reputation: 636
Quote:
Originally Posted by Ztcoracat View Post
I specifically want Bleachbit.
Bleachbit is in the normal Debian repositories. Please stick with, at least until you know more about your system, the standard Debian repositories.
 
Old 08-23-2012, 04:03 AM   #11
cynwulf
Senior Member
 
Registered: Apr 2005
Posts: 2,130
Blog Entries: 5

Rep: Reputation: 1186Reputation: 1186Reputation: 1186Reputation: 1186Reputation: 1186Reputation: 1186Reputation: 1186Reputation: 1186Reputation: 1186
Quote:
Originally Posted by Ztcoracat View Post
Since giving whomever made the package control on my system I would feel better if I had control over packages and their content's-

I do not know how to unpack a package to be able to have a look at it.
How do I do this Evo?
1) even if you unpack the package and have a look at it, you won't know if you can trust it unless you have the source and the knowledge to go through it...

2) If you installed Debian, you've already trusted the Debian official repos. Just install bleachbit from the repos as you have been instructed.

3) All Debian packages are signed so if you stick to the main repos and don't add third party repos, your system is stable, safe and secure.

4) Adding 'buntu repos/ppas is the best way to achieve a broken system. If you enjoy a few days of crashing followed by another few hours of reinstalling - go ahead.
 
1 members found this post helpful.
Old 08-23-2012, 08:47 PM   #12
Ztcoracat
LQ Guru
 
Registered: Dec 2011
Distribution: Slackware, Manjaro
Posts: 8,846
Blog Entries: 14

Original Poster
Rep: Reputation: 1080Reputation: 1080Reputation: 1080Reputation: 1080Reputation: 1080Reputation: 1080Reputation: 1080Reputation: 1080
k3lto1:

I will install Bleachbit from the repository like you advised me to.

Until I know my system better; I know it's best for me to follow what you have told me.

Thank you for the link to the Debian repository for bleachbit.
 
Old 08-23-2012, 08:53 PM   #13
evo2
LQ Guru
 
Registered: Jan 2009
Location: Japan
Distribution: Mostly Debian and Scientific Linux
Posts: 5,753

Rep: Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290
Hi,

Quote:
Originally Posted by Ztcoracat View Post
k3lto1:
I will install Bleachbit from the repository like you advised me to.
do you realise that I told you to do this as soon as you mentioned bleachbit and that I repeated it in my followup post? Are you actually reading the replies that people make?

Evo2.
 
Old 08-23-2012, 08:53 PM   #14
Ztcoracat
LQ Guru
 
Registered: Dec 2011
Distribution: Slackware, Manjaro
Posts: 8,846
Blog Entries: 14

Original Poster
Rep: Reputation: 1080Reputation: 1080Reputation: 1080Reputation: 1080Reputation: 1080Reputation: 1080Reputation: 1080Reputation: 1080
Quote:
Originally Posted by caravel View Post
1) even if you unpack the package and have a look at it, you won't know if you can trust it unless you have the source and the knowledge to go through it...

2) If you installed Debian, you've already trusted the Debian official repos. Just install bleachbit from the repos as you have been instructed.

3) All Debian packages are signed so if you stick to the main repos and don't add third party repos, your system is stable, safe and secure.

4) Adding 'buntu repos/ppas is the best way to achieve a broken system. If you enjoy a few days of crashing followed by another few hours of reinstalling - go ahead.
I do lack the source and the knowledge to go through the package.

At some point however; I think this is a step that I should learn in the future.

I have went to the site:
http://packages.debian.org/search?ke...mozilla-search
That k3lto1 provided for me.

In truth I went in Applications> System Tools
And for now I do not have the application Bleachbit-

I will install from the repository like k3lo1 has advised me.
Thank You
 
Old 08-23-2012, 08:58 PM   #15
Ztcoracat
LQ Guru
 
Registered: Dec 2011
Distribution: Slackware, Manjaro
Posts: 8,846
Blog Entries: 14

Original Poster
Rep: Reputation: 1080Reputation: 1080Reputation: 1080Reputation: 1080Reputation: 1080Reputation: 1080Reputation: 1080Reputation: 1080
Quote:
Originally Posted by evo2 View Post
Hi,


do you realise that I told you to do this as soon as you mentioned bleachbit and that I repeated it in my followup post? Are you actually reading the replies that people make?

Evo2.
Yes; I have read the replies-
I have a disability and it is difficult for me sometimes to retain what others have made clear.

And, I have all of the instructions that you wrote. Thank You
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Problems with PPA repositories enryfox Ubuntu 2 05-11-2012 01:35 AM
LXer: Medibuntu repositories available for Ubuntu 12.04 LTS Precise Pangolin | PPA LXer Syndicated Linux News 0 03-10-2012 07:31 PM
Create a Linux distro using Launchpad PPA repositories Kenny_Strawn Linux - Distributions 3 04-16-2010 04:19 PM
LXer: Ubun-student is renamed to "Ailurus"-New PPA repositories included- LXer Syndicated Linux News 0 12-11-2009 06:00 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Debian

All times are GMT -5. The time now is 03:19 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration