On 7/1/21 7:38 PM, Jeremy Stanley wrote: > On 2021-07-02 01:24:09 +0000 (+0000), Paul Wise wrote: >> >> For sophisticated users it isn't very hard to verify that packages >> don't do anything malicious as root. `apt install --download-only`, >> `dpkg-deb --raw-extract`, read the maintainer scripts and check which >> files are installed into the package. > [...] > > On each machine where you install it, unless you confirm the > checksum hasn't changed from one to the next. Also each and every > time you upgrade it. And it goes without saying, if you're worried > about this, don't enable unattended upgrades for anything from that > repository. >
I actually do this (for the wine and google-chrome [1] packages from their upstreams). You (at least) need to also check for any setuid binaries. Don't forget that .desktop files can trigger execution, and files under /etc can also cause unsafe behavior. (I have been hoping that there are no major security bugs in man(1) opening unsafe pages). Best, Antonio [1] Significantly more needs to be done for chrome, since it does, indeed, include a setuid wrapper script.
OpenPGP_0xB01C53D5DED4A4EE.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
