While installing various programs, I get asked to download some packages that are required for it to work. Some of them are well known applications, where the read-me document is trustworthy whereas some other lesser known programs are the ones where I guess I need to be careful.
So, I'm trying to install a game known as Tennis Elbow, where the read me doc says:
On Ubuntu 14.10 64bit, the following instructions have been reported to work:
sudo apt-get install libcurl3:i386
sudo apt-get install libvorbisfile3:i386
So, how can we know if the files I download are safe or not?
I know this seems like more than one question, but I basically need this game to work, and so I just need know if I it is safe to install the packages mentioned or not.
Is it possible to install a malicious program using apt-get? Sure, but that requires there to be malicious software in your computer's listed repositories. That can happen:
If you have added a malicious repository, it can provide malicious packages. PPAs, for example could contain malicious code. They can also provide any package (they could provide an
ubuntu-minimalreplacement that would infect everybody.But not just PPAs. Software in the main repositories could be infected, either because the Ubuntu maintainer is hacked or disgruntled, or because the Debian upstream maintainer is hacked or disgruntled, or that the original developer is hacked or disgruntled and that bad code filters through uncaught.
Somebody has somehow managed to intercept your network traffic and has also somehow managed to either sign a packages' manifest or alter a binary package without altering the package checksum.
Both are incredibly unlikely unless you've been adding random keys, but even then it's hard to do without being at least partially on-site. It's a pretty complicated hack to pull off.
But is any of that it likely here? Is it telling you to install malicious software?
No. It's just asking you to install 32bit versions of these libraries because it uses them but was compiled against their 32bit versions.
But what are they? libcurl3 is used for downloading things within an application and libvorbisfile3 is for decoding Vorbis-encoded audio.
The :i386 on the end of the package name means. It's specifying the architecture. In Ubuntu's case, we use i386 to mean 32bit, it's actually compiled with i686 processor instructions.
If you're going to be paranoid about anything, downloading and running a closed source binary from a random website is the real danger here.
No comments:
Post a Comment