Software Sources - Download Safety?

[komodo-dragon]

Greetings ubuntu gurus!

Please forgive me if this has been answered over-and-over: I tried some searches and found surprisingly little on this topic.

I have noticed that ubuntu software is acquired from various sources. In my case I've added another (mirror.uoregon.edu/ubuntu/archives) Then there are also other 3rd party sources, such as archive.canonical.com, dl.google.com/linux/deb, and ppa.launchpad.net.

And these are just the ones I see when using the panel. Which (I guess) implies that I could use others when using apt, etc, thru the terminal.

So (finally!) my question: can we all trust this software to be free of trojans, worms, etc? Is there any way for a Newbie to tell and/or verify?

Thanks in advance!

[Hal343]

The best way is check the MD5sums for all software you download, and if you want to be sure, check that the sums are the same for the same software at different sites.

[reed9]

Any of the official mirrors are perfectly safe, assuming you trust Ubuntu not to purposefully insert malware into their code. With all repositories, there is a verification key that you should also have, which validates the legitimacy of the site, and your package manager will also check what's called the md5sum, which validates that the package Ubuntu uploaded is exactly the same as the package you downloaded.

Third party mirrors, I would be more cautious of, though any that are listed in the default Ubuntu configuration should be fine. There are other well known 3rd party repos that I trust as well, specifically medibuntu. Again, these should offer the GPG verification key. Assuming you trust the 3rd party hosting the repository, and make sure you have the correct keys and such, there is minimal risk.

This is one of the reasons linux is less prone to malware attacks. Rather than roam all over the web downloaded random self-contained binaries, you have pretty much all the software you could ever want available through trusted verified sources.

[komodo-dragon]

Thank you, Hal and Reed!

I think I did have to add a new one for Flash (not really my favorite software but some sites need it(argh!) and guess I can trust it ... maybe!)

I will look into the features you mention - GPG and md5sum. (Hints welcome!)

What a great forum; hopefully I won't drive everyone too crazy.

All the best, and thanks again!

[reed9]

Flash is in the official repositories for Ubuntu. Where did you install it from?
Ubuntu -- Package Search Results -- flash

More on GPG and md5sum:
Beginners Guide to GnuPG - Ubuntu Forums
https://help.ubuntu.com/community/GnuPrivacyGuardHowto

https://help.ubuntu.com/community/HowToMD5SUM

[komodo-dragon]

Hello Reed, thanks for your response! I downloaded from adobe.com. I had tried downloading the .deb from there as well - it just never worked for me. I had all sorts of difficulty getting Flash to work; I had gone through the instructions in another post and all seems to (knock wood) work fine now.

Thanks all; I'm sure we'll be talking again soon!

[reed9]

It's generally safe to download from a project's official website as well.

[komodo-dragon]

cool, thanks! (there must be some residual paranoia from my Windows days, lol!)