On Vi, 09 apr 21, 06:34:32, riveravaldez wrote: > On 4/9/21, to...@tuxteam.de <to...@tuxteam.de> wrote: > > > > Is it really unavoidable? Or just a tad less convenient? > > Well, that's a pretty subjective issue, to be honest... ;) > > > Can you pose one concrete use case where it is unavoidable? > > Not sure if *unavoidable* but I didn't found a better solution at the > time: > A client for which laptop I'd installed Debian was in job-need of > using Skype and Zoom. Her employers wouldn't use anything > else, so, I was looking for the better/safer way to install such damn > closed-source pieces of soft (in particular I hate Zoom, but that's > another subjective issue...) in a for anything else fully libre/secure > perfectly working Debian system. > I have no idea what the official .deb packages from Skype/Zoom > do, so, to minimize exposition and control-lost looked for an easy > way to 'enclose' what those programs could do, and opted finally > for Flatpak just to avoid any Canonical late-inconvenience...
Just a general reminder: dpkg will execute all maintainer scripts contained in the package as root. Packages can also contain various other files that can have a big impact on system security, like system .service files, cron jobs/timers running as root, SUID binaries, etc., even if the program itself is (meant to be) run only as a regular user. If you care about the security of your system inspecting the .deb before 'dpkg -i' is always a good idea (e.g. with mc or so). If you are adding foreign repositories you are also trusting them for all package updates, for *any* package on your system. By default APT doesn't care from which repository a particular package is coming from, as long as it has the higher version, and that is easy enough to manipulate (e.g. with an epoch). A trusted repository could then easily substitute *any* package on your system (kernel, init, shell, etc.) via package upgrades. The repository doesn't even have to be evil, as it could always be hijacked by a bad actor. Kind regards, Andrei -- http://wiki.debian.org/FAQsFromDebianUser
signature.asc
Description: PGP signature