29

There are several ways to install an application in Ubuntu:

  • You can download a source tarball (generally a .tar.gz or a .tar.bz2 file) and install it manually. (See How do I install a .tar.gz (or .tar.bz2) file?)

  • You can download a .deb file and install it manually, using dpkg or the Software Centre.

  • You can search for the application in the Ubuntu Software Centre and install it there, or use apt with the official Ubuntu repositories.

  • You can find a PPA or a third-party repo, and install it from there.

What are the pros and cons of each method? Please discuss security implications, frequency of updates and program reliability of each method in your answer.

Community
  • 1
Flimm
  • 41,766
  • 1
    that's a lot of questions in one. It might be slightly better to ask a more focused question. The default is to use the Ubuntu Software Center. A good compare/contrast would be between tar balls (.tar.gz) and the apt-get + .deb ecosystem (including command line and the Ubuntu Software Center). – Warren P Dec 02 '12 at 16:03
  • If asked as four separate questions, the answer would/should be the same for all four: prefer installing/updating using a pkg manager from repo's (main or 3rd party). If that's not an option, then you can start getting into the general pro's & con's of this 'n that -- but at that point it probably boils down what app is being used & what you specifically want to do with it. (E.g., I install the standard provided "java" from the public repo, but as a developer I also install 5 different versions in /opt/java via tar.gz's). – michael Dec 02 '12 at 18:55

2 Answers2

33
  • Reliability:
    • When installing from a tarball, software may try to overwrite other software. Build dependencies are needed, and the process has a high failure rate. If you are installing software that packages in the repositories depend on, this will not satisfy that dependency since it is not registered with dpkg, unless you use checkinstall to temporarily convert it to a debian package. With this, you do risk breaking dpkg. Even if the code is open-source, unless you make sure it hasn't been changed, you should still download it from a trusted site. You can install multiple versions of software, as long as it uses different directories. You can override this in the makefile.
    • Using a debian package will ensure files do not overwrite those of other programs, however, if using sudo dpkg -i file.deb, dependencies must be installed first. When installed this way, you won't get updates unless the package is also in the repositories, but this package will satisfy dependencies requiring this software. It will also most likely give this package a menu entry or at least register manpages. Debian packages usually are tested with Lintian which makes sure packages meet or exceed a set of standards that can be quite stringent, going as far as whether certain files have any executable code or not. Multiple versions of the same package cannot be installed. A badly made package can fail to install, fail to remove, or even break DPKG, leading to difficult repairs, frantic searches for backups, or even a reinstall if the problem is serious.
    • Using apt is the best option when possible. Dependencies will be automatically fetched and installed, and packages are built using reliable build server configurations at launchpad, minimizing failures. Packages can be searched through aptitude or other such tools, and updates will be easily facilitated via the update manager. Since dependencies also come from apt, the package is more likely to interact with dependencies properly. Packages are tested via Lintian as with debs, but the testing, combined with highly stable build servers, make for even more stable packages. Since the packages pass through Ubuntu's build servers, most likely they will be tweaked to integrate with the rest of the OS. Multiple versions of the same package cannot be installed. Since Ubuntu's build servers are used for PPAs, there is less change you'll break apt due to auto-linitianing.
  • Updating:
    • With a tarball, you will get no updates, unless the program has its own check for them. With that, you will need to install such updates manually, and they won't be consolidated in a single place. You will probably be able to get nightly or even current source code in a tarball to compile and install. If you need bleeding-edge code, that may be useful.
    • With debian, packages will only be updated if you have the repository for them. Developers will most likely make debian packages a bit behind the bleeding edge source, but betas are often found with debs online.
    • With apt, packages will be updated very easily. Updates are consolidated in one place, the update manager, and are done automatically or semi-automatically. Unless you are on an alpha or beta of Ubuntu, you will be using well-tested versions, even if they are a version or two behind the current upstream source. Security updates will be pushed as soon as they are lightly tested to make sure they don't make the situation even worse. This means that your security will be protected with timely updates, but these updates will be checked to avoid data loss.
  • Security:
    • Tarballs are not digitally signed in any way. They may be mangled or modified by malicious third parties. Even if you do a hashsum(Avoid MD5), you should still trust the owner of the site and the author of the package, since they provide SHA- or MD5-sums.
    • Debian packages are not signed, however dpkg will not allow a debian package to overwrite the files of another, so a malicious deb can't destroy init or mess with bash by overwriting it. You should always trust the website and the author of the package.
    • apt uses signed keys for repositories, so they can;t be mangled without a red flag coming up. PPA uploads are digitally signed so non-owners of the PPA cannot put up broken or unsafe packages. The no-overwrite for files of another package is also enforced. Of course, you should trust the PPA or repository owner, as unchecked packages with malicious code will execute upon being run.
nanofarad
  • 20,717
  • 1
    I suggest you add Integration. Ubuntu and upstream Debian package managers make sure that packages participate in system-wide features, like the alternatives system (I have X programs that can open a web page, which one do I want to be the default) and so on. A manual tarball install doesn't usually work that way. – Warren P Dec 02 '12 at 16:02
  • @WarrenP I did indeed add that, but it may not be clear. Thanks! – nanofarad Dec 02 '12 at 17:22
  • Was "If you are installing software that packages in the repositories depend on, this will not satisfy that dependency since it is not registered with dpkg." in the first bullet point meant to cover Integration? –  Jan 30 '13 at 03:15
  • 1
    @vasa1 This is regarding tarballs, since Apt and dpkg will check their databases, not the filesystem, in determining whether a package is installed. You can always use checkinstall to work around that. – nanofarad Jan 30 '13 at 11:25
20

The short answer is that installing from the Ubuntu Software Centre is generally preferable to all the other methods. However, there are times when you may want to install a program from somewhere else.

Installing from source:

  • Security implications: You need to trust the authors of the software and the website that hosts the download. You should also check that the download is performed through HTTPS, otherwise, a third-party may modify the download.

  • Frequency of updates: You'll always get the latest and best! The updates will be as frequent as the original authors choose. However, you will need to check for updates yourself manually.

  • Reliability: It may not be as reliable as other methods, because the software will have gone through less testing, and may not even have been tested at all for Ubuntu, just other Linux distros.

  • Ease of installation and uninstallation: Most difficult out of all the options. Even experienced users may avoid this option, because they prefer using native Debian packages, which are much easier to manage.

Installing from a .deb package:

  • Security implications: Same as installing from source.

  • Frequency of updates: Same as installing from source.

  • Reliability: Slightly better than installing from source. If the authors have provided a .deb package, that implies that they probably have done some minimal testing on Debian or Ubuntu.

  • Ease of installation and uninstallation: Very easy. Just double-click and click "install"! Similarly easy for uninstallation.

Installing from the Ubuntu Software Centre:

  • Security implications: You need to trust the authors of the software, and the Ubuntu repo maintainers. On the whole, this is better security than installing directly from source, because the program has been reviewed to some extent by Debian and/or Ubuntu maintainers. Debian and/or Ubuntu maintainers can patch the program to fix security flaws, too, if the program is open source.

  • Frequency of updates: Debian and/or Ubuntu maintainers only select some releases of the software. (For example, they may only choose stable updates). There is a delay between the release of a program, and its inclusion in the Debian and/or Ubuntu repos. If you want the latest and greatest, this is not the best option. If you want stable updates that have been reviewed, this is a good option. Updates are proposed automatically through the update manager and apt-get.

  • Reliability: Much better than installing from source, as the program has been reviewed and adjusted for Ubuntu.

  • Ease of installation and uninstallation: Very, very easy.

Installing from a PPA or a third-party repo:

  • Security implications: You need to trust the authors of the software, and whoever maintains the PPA. Absolutely anyone can host a PPA, so don't trust the PPA just because it's on Launchpad. The user could have been lazy and not reviewed the software at all.

  • Frequency of updates: It depends on the PPA. Checking for updates is easy.

  • Reliability: Frequently less reliable than installing from the Ubuntu Software Centre. PPAs are there for programs that do not yet meet the standards for the Ubuntu Software Centre, so they are practically guaranteed to be less reliable.

  • Ease of installation and uninstallation: It's not hard to learn, and it fits in well with Ubuntu's package management.

Flimm
  • 41,766
  • Both this question and this answer seem to be constructed to recommend the ubuntu software center without really understanding the apt-get system underneath at all. However I really doubt people choose between "installing from a .deb package that I downloaded" and using the ubuntu software center. They probably choose between using the GUI U.S.C and the non-gui apt-get command at the commandline. – Warren P Dec 02 '12 at 16:06
  • 1
    The USC is just a frontend for apt-get anyway. Let's not turn this into a GUI vs command-line debate. If you think that choice is worth discussing, start another question. – Flimm Dec 02 '12 at 17:32
  • 2
    @Flimm: not quite, USC can also install .deb package so it's more appropriate to call USC a frontend for apt-get and dpkg. – Lie Ryan Dec 02 '12 at 19:22
  • 1
    I'm not saying "debate", I'm saying "users come here to get clarity, and this question and this answer don't seem to clarify matters much". – Warren P Dec 03 '12 at 02:39
  • 1
    @LieRyan: agreed. – Flimm Dec 03 '12 at 12:02
  • 1
    @WarrenP: I disagree on what users come here for. Users come here to decide from where to download and install an application. If that is not clear from the question, we can edit it. I think the question is clear, if you have another question that is more useful to users, create a new question post. – Flimm Dec 03 '12 at 12:04