Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: How safe are things downloaded from the Linux repository ? (no program specifically)

  1. #1
    Join Date
    Jan 2018
    Beans
    8

    How safe are things downloaded from the Linux repository ? (no program specifically)

    HI folks, I just wanted to know how safe are things downloaded from the Linux or Ubuntu repository?

    1. Is it the Ubuntu repository of the Linux repository ?
    2.When I type in sudo apt-get vlc , how well are things checked for malicious software?
    3. When I download from the software updater app, I basically am hoping that I am not downloading anything bad, and that everything is being checksum verified --- is this true or false?

    Thanks.

    PS yes I am a newbie to Linux, I would like to be informed about security and be more secure .Thanks.

  2. #2
    Join Date
    Mar 2011
    Location
    19th Hole
    Beans
    Hidden!
    Distro
    Ubuntu 18.04 Bionic Beaver

    Re: How safe are things downloaded from the Linux repository ? (no program specifica

    Welcome to the forums, jedi123.

    Let's start by answering your questions:

    1. Each distro maintains its own repository, so it is the Ubuntu repository. Technically speaking, Linux is only the kernel and therefore does not have a repository.
    2. The premise of your question arises from a basic misunderstanding of open source software. Whereas a closed-source app store like Google's or Apple's tries to "check" for malicious software, they are at an immediate and huge disadvantage to that of any Linux distro—they have no ability to examine the source code. Anything malicious that is hiding in those apps must be teased out through trial and error, testing and the usual antivirus scans. But in the free and open source Linux ecosystem, the only way that an app makes it into the repos is to have its source code openly available. I will leave it to you to decide how likely it is "hide" malicious behaviour when the source code is open to review and analysis by anyone.
    3. Actually, it is a bit more secure than even you are hoping. When you first installed Ubuntu, you also installed Ubuntu's public keys. When you download something from the repos, they are signed in such a way that they must successfully verify themselves against those keys. If they have been tampered with, or are not original, or come from anywhere other than Ubuntu's repos or mirrors, they will not pass signature verification and apt will refuse to install them. It is far more than just a simple checksum.

    Quote Originally Posted by jedi123 View Post
    …I am a newbie to Linux, I would like to be informed about security and be more secure .Thanks.
    As a user new to Ubuntu, it is only natural, I suppose, to have the concerns that plague users of commercial software. Therefore, I would highly recommend that you read some of the links in my sig. In particular: Linux is Not Windows and Security Basics. This will give you a lot of the background necessary to think through issues the Linux way.

    I will also point you to an old but still relevant post of mine (no use reinventing the wheel): https://ubuntuforums.org/showthread....5#post12833795

  3. #3
    Join Date
    Jan 2018
    Beans
    8

    Re: How safe are things downloaded from the Linux repository ? (no program specifica

    I do have a habit of everyday, of opening a terminal, and writing
    Code:
    sudo apt-get update
    and
    Code:
    sudo apt-get upgrade
    However , I notice that even though I do this everyday, the software updater app still says that I need to download more stuff. Why is this?

    Why this discrepancy ? In theory I am doing everything I need to do with the above commands, security wise. PS I can take a screen shot, of my software update preferences, and give them to you .

    Thanks.
    Last edited by vasa1; January 5th, 2018 at 01:17 PM. Reason: reformatted a bit

  4. #4
    Join Date
    Dec 2007
    Beans
    12,540

    Re: How safe are things downloaded from the Linux repository ? (no program specifica

    Quote Originally Posted by jedi123 View Post
    I do have a habit of everyday , of opening a terminal, and writing "sudo apt-get update" and sudo apt-get upgrade". However , I notice that even though I do this everyday, the software updater app , still says that I need to download more stuff. Why is this?

    Why this discrepancy ? In theory I am doing everything I need to do with the above commands, security wise. PS I can take a screen shot, of my software update preferences, and give them to you .

    Thanks.
    Kernel upgrades that may not be available with sudo apt-get upgrade? To see, try sudo apt-get dist-upgrade and press "N" if you are reluctant to proceed. In any case, copy paste the entire output of
    Code:
    sudo apt-get update
    and
    Code:
    sudo apt-get dist-upgrade
    here. No need for a screenshot for now. Some information is better presented via copy/paste using code tags.

  5. #5
    Join Date
    Mar 2011
    Location
    19th Hole
    Beans
    Hidden!
    Distro
    Ubuntu 18.04 Bionic Beaver

    Re: How safe are things downloaded from the Linux repository ? (no program specifica

    Quote Originally Posted by jedi123 View Post
    I do have a habit of everyday, of opening a terminal, and writing
    Code:
    sudo apt-get update
    and
    Code:
    sudo apt-get upgrade
    Good habit. Keep doing that. Some people turn on automatic updating, but I don't like it. I want to know what is being updated.
    …I notice that even though I do this everyday, the software updater app still says that I need to download more stuff. Why is this?
    As vasa1 notes:
    Code:
    sudo apt-get upgrade
    …does not update everything. To update the kernel, follow his instructions with:
    Code:
    sudo apt-get dist-upgrade
    You can make the dist-upgrade process pause, report a list of all changes, then ask for your permission before proceeding further, by installing the package apt-listchanges. Note that because apt-listchanges must ask for permission, this will break automatic updates. But if your goal is to review all updates before allowing them, then you will not be running automatic updates anyway.

  6. #6
    Join Date
    Apr 2011
    Location
    Mystletainn Kick!
    Beans
    9,313
    Distro
    Ubuntu

    Re: How safe are things downloaded from the Linux repository ? (no program specifica

    However , I notice that even though I do this everyday, the software updater app still says that I need to download more stuff. Why is this?
    Are the listed packages different from those you've just apt-getted?
    Splat Double Splat Triple Splat
    Earn Your Keep
    Don't mind me, I'm only passing through.
    Once in a blue moon, I'm actually helpful
    .

  7. #7
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    14,521
    Distro
    Ubuntu Mate 16.04 Xenial Xerus

    Re: How safe are things downloaded from the Linux repository ? (no program specifica

    I have a slightly different view, but along the same lines as the esteemed folks above.

    The #1 security technique for anyone, on any computer, is to have versioned backups. NOTHING, NOTHING, replaces what versioned backups provide. Patching alone is not enough.

    I think running updates daily is asking for trouble and not as easy to find the root cause when something breaks. I run them weekly. This way, I know for the 24-48 hrs after updates are done, that any issue is likely related to a recent update. That leaves 5 days of relative stability.

    sudo apt upgrade - - does get patches to kernels. It doesn't update to a newer kernel release. "New" is the enemy of stable. I prefer stable almost always. There are reasons to NOT want a newer kernel, just like there are reasons to need a newer kernel. Regardless, we all want security updates for the kernel and our programs, which apt upgrade does get, provided the kernel is still supported. That is a little more complicated question, since some kernels only have 6-9 months of support. If you don't want to worry about all this, running sudo apt dist-upgrade **is** safe and will keep you on a supported kernel provided the entire release is supported. "dist-upgrade" is the old option name. There is a newer name that does exactly the same thing, but I can't remember it right now (the apt-get manpage has the answer). At some future point, dist-upgrade will likely be removed.

    You can disable the GUI patching reminders. If you are manually doing them and always will, you don't need the GUI. As to why different times of day produce different results? That is because patches are being provided as they become available and finally get pushed-to/pulled-by the repositories around the world.

    apt, apt-get, aptitude, or the GUI tools for package management all work with the same back-end database and libraries. For normal updates, I use apt. When I need a CLI interface or want slightly more complex choices, then I'll use aptitude. These days, I only use apt-get out of muscle memory or when copy/pasting from some notes I made previously. 99% of the time, it doesn't matter which interface to APT we choose, so I choose to type fewer characters.

    And lastly, just to clarify the checksum question. Packages are cryptographically signed. This is a fairly strong level of assurance that nothing has been tampered with or broken or accidentally corrupted between the package maintainer and transfer to your installation. APT does this and has for decades. This isn't just a download like setup.exe is.

  8. #8
    Join Date
    Jan 2018
    Beans
    8

    Re: How safe are things downloaded from the Linux repository ? (no program specifica

    All very good, advice, my concern is, that when I press ok, on the software updater application, some weird non-ubuntu, and possibly malicious stuff gets put into the mix.

  9. #9
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    14,521
    Distro
    Ubuntu Mate 16.04 Xenial Xerus

    Re: How safe are things downloaded from the Linux repository ? (no program specifica

    The same repos are used, regardless of the interface.

    Of course, if you are seeing something different, can you please show the differences?
    Last edited by TheFu; January 9th, 2018 at 02:25 PM.

  10. #10
    Join Date
    Jan 2018
    Beans
    8

    Re: How safe are things downloaded from the Linux repository ? (no program specifica

    Quote Originally Posted by TheFu View Post
    The same repos are used, regardless of the interface.

    Of course, if you are seeing something different, can you please show the differences?
    I was not able to screen shot the terminal. But right now I just did sudo apt-get update and sudo at-get upgrade, then I saw all this security stuff. What gives? Anything from the software updater is verified via pgp key correct? I attached a screen shot from software updater.
    Attached Images Attached Images

Page 1 of 2 12 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •