Is it safe to manually download a package from this site and then install the .deb file using apt? Is there anything more secure about using apt to download the package?
Yes it’s safe apt doing same when u installing something but doing it automatically.So u can just do
sudo apt-get install --download-only htop
It will store .deb in ur directory
aiui apt will compare downloads from repositories against the repository signing key, whereas downloading a deb and installing it manually with dpkg bypasses that.
So theoretically the Debian website could get compromised and provide you a malicious deb package. That has happened to other Linux distros before so it’s not entirely unrealistic.
Practically I think that’s very unlikely.
I know apt has the
--download
option if you’d like to fetch deb packages on the commandline, though I’m not sure if apt compares the package with the key during this process. I hope it does. You could probably run apt in verbose mode and hopefully see this happen.Some references:
Thank you for the links. I am curious about how this stuff works
So adding the debian repo is preferred.
But read my other comment, you shouldnt mix repos of similar systems!
Is there a particular reason you can’t use apt here?
It’s always preferable to stick with repo packages unless absolutely necessary, because performing a manual install could place your system into an unsupported state or prevent apt from updating it later, which can lead to issues especially if that package is something core like bash.
It’s as safe as downloading an exe file from the internet and running it on your windows machine. I.e. 99% of the time if the site is trustworthy nothing bad will happen. But the main question is: Why would you want to do that? If you had linked an external site to download a third party app that is not distributed by your distro in their repos it would make some sense, but those packages there should be the same your repo has, so what’s the point in downloading a .deb from there and install it manually?
No, OP is asking about debain.org, not a random site.
This is the official Debian bash package. It might be slightly less safe (I think apt verifies signatures that I’m not sure are checked when your manually download the deb), but not like a random exe
So a trustworthy site, exactly like I said.
No, it’s considerably more safe than that. Unless the .deb has been cryptographically signed by the Debian maintainers, it won’t install, no matter where you download it from.
For this reason, apt intentionally did not support any secure protocols (such as https) until just a few years ago. There’s no point to downloading it securely or from a trusted source: all the security is in the signature verification. (And insecure protocols like http are usually easier to cache/proxy)
I find that hardly unlikely, you can get several .deb files that are most definitely not signed by Debian maintainers, e.g. zoom, all of the packages from . Signatures of packages can be done by anyone, and apt can be configured to accept multiple keys so each distro can choose which ones to accept.
Also, AFAIK, apt only checks signature for packages it itself downloads, which is why you need to add new keys for adding repos but not when installing .deb files. That being said, when I install .deb packages on debian based distros I use dpkg so it might be that apt does check, but you can definitely install deb packages without it.
it is, but what’s the point? normally this is used for installing .debs provided by third parties that aren’t on Debian’s repos. but using it this way is just overcomplicating the installation.
Installing stuff on a system without a network connection?
you’re downloading the .deb anyway, so you need a network connection unless you’re downloading the packages in a difderent machine and then transferring them to the target.
but OP didn’t mention two machines and it is just too rare and specific to be assumed.
I don’t think it’s as rare as you think. There are machines that companies will run without an internet connection for years at a time for security reasons. But then one day they need to update some specific program.
No, I don’t think that’s OPs situation, I was just responding to your question about when that ever made sense to do.
Occasionally I’ll have to manually dl a .deb for network firmware but that is a no-network situation. For OPs case I think he should just stick to apt.
That usually doesn’t work, because you need all the dependencies, too. You can download each of those as .deb as well, if you really have no way of accessing the internet, but it’s certainly no fun.
You can do this instead: https://tadeubento.com/2023/debian-iso-downloads-and-offline-archives/ + https://tadeubento.com/2023/debian-iso-images-as-apt-repositories/ and have it all.
I’ve done it before where a newer version of a program is available that hasn’t been backported, just need to watch the dependencys. Sometimes it works out fine, othertimes you need a second package or 2 to update, othertimes it’s time to upgrade to the latest bleeding edge release of the OS
I usually use dpkg - i for manually downloaded files. Just another option to try.
This doesn’t install dependencies.
apt
is the nicer way.Thank you, I wasn’t aware of that. Looks like I’ll have to switch it up.
Well, it is safe as it’s what APT do… hahaha just make sure to download latest version…
Why? This is the question when installing an external DEB, but from the own repo makes no sense.
Or do you mean that package is just on a Debian repo, and you dont want to add the whole Repo to your e.g. Ubuntu system to mess things up?
You may just want to use Distrobox in that case, to really seperate things, as mixing distros, with ESR versions, backports and all that, especially when using two very similar but very differently paced distros, is just screaming for breakages.
So install distrobox, do
distrobox create -i
and press Tab (in bash) and you will have a list of all images, then dodistrobox create Debian -i URL/TO/IMAGE
. In there again do a regular apt install of that package.You can use Distrobox for every distro supported, install a package thats just in an Ubuntu PPA, the AUR, available for RedHatEL/CentOS, only available for OpenSuse Leap etc. These situations occur, and its great to have these tools!
Also, doing
distrobox export --app NAME
inside the container will generate a GUI app entry to click on.As long as the site isn’t compromised and you don’t break your dependencies in the process, yeah of course 👍
Don’t Break Debian! The absolute best advice I ever read when starting to use Linux. In particular taking notes and not making a FrankenDebian.