On Fri 09 Apr 2021 at 20:43:58 +0300, Andrei POPESCU wrote: > On Vi, 09 apr 21, 06:34:32, riveravaldez wrote: > > On 4/9/21, to...@tuxteam.de <to...@tuxteam.de> wrote: > > > > > > Is it really unavoidable? Or just a tad less convenient? > > > > Well, that's a pretty subjective issue, to be honest... ;) > > > > > Can you pose one concrete use case where it is unavoidable? > > > > Not sure if *unavoidable* but I didn't found a better solution at the > > time: > > A client for which laptop I'd installed Debian was in job-need of > > using Skype and Zoom. Her employers wouldn't use anything > > else, so, I was looking for the better/safer way to install such damn > > closed-source pieces of soft (in particular I hate Zoom, but that's > > another subjective issue...) in a for anything else fully libre/secure > > perfectly working Debian system. > > I have no idea what the official .deb packages from Skype/Zoom > > do, so, to minimize exposition and control-lost looked for an easy > > way to 'enclose' what those programs could do, and opted finally > > for Flatpak just to avoid any Canonical late-inconvenience... > > Just a general reminder: dpkg will execute all maintainer scripts > contained in the package as root. > > Packages can also contain various other files that can have a big impact > on system security, like system .service files, cron jobs/timers running > as root, SUID binaries, etc., even if the program itself is (meant to > be) run only as a regular user. > > If you care about the security of your system inspecting the .deb before > 'dpkg -i' is always a good idea (e.g. with mc or so). > > If you are adding foreign repositories you are also trusting them for > all package updates, for *any* package on your system. > > By default APT doesn't care from which repository a particular package > is coming from, as long as it has the higher version, and that is easy > enough to manipulate (e.g. with an epoch). A trusted repository could > then easily substitute *any* package on your system (kernel, init, > shell, etc.) via package upgrades. > > The repository doesn't even have to be evil, as it could always be > hijacked by a bad actor.
In response to this well-argued post: which is less risky when not installing a package from the archives? * Install the vendor .deb. * Install from the snap store. -- Brian.