-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, Jun 04, 2018 at 07:20:34AM -0500, Anil Duggirala wrote: > hello, > I know installing .deb packages downloaded from websites is not a good > practice in terms of software management in Debian. I would like to know if I > should have security concerns when installing a .deb package "manually" > (using gdebi for example) ? > Is it possible that by downloading the skype .deb package and installing it, > I am creating a security vulnerability in a Debian system?
Yes. I know, I know. Take a step back: it all reduces to trust. Debian packages are signed by their maintainers: by verifying the signature against the published public keys (the Debian keyring) I can assess that the package comes from a maintainer [1], and that it hasn't been tampered with in its way to me (whether it was wget, curl, apt, file copy, or USB-on-pigeon). Whether I trust the Debian maintainers is up to me... Now where did you get your skype package? Is it signed? Do you have the signer's public key? Can you assess whether this public key has reached you without having been tampered with? If you can answer those questions, then you have all of the above. Now... I don't know anything about the Debian skype package. But I *know* that skype is not free. I doubt that the skype package brings along the skype binaries: I expect it to be just an installer which grabs whatever binaries are needed off the internets. And there's the real elephant in the room. Me? I wouldn't trust skype as far as I can spit. Personally I'd run it in an isolated environment (if I had to, at all). Perhaps on its own hardware. Raspis aren't that expensive these days. Cheers [1] ...or from someone who got control of the maintainer's private key. - -- tomás -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlsVOQcACgkQBcgs9XrR2kaJtACfWizxnxst6IeYOza1U3DEoZQZ d3sAn06NK5pHnRV7BgmUI8nNndb2elFu =Cmo4 -----END PGP SIGNATURE-----
