8

While installing various programs, I get asked to download some packages that are required for it to work. Some of them are well known applications, where the read-me document is trustworthy whereas some other lesser known programs are the ones where I guess I need to be careful.

So, I'm trying to install a game known as Tennis Elbow, where the read me doc says:

On Ubuntu 14.10 64bit, the following instructions have been reported to work:

sudo apt-get install libcurl3:i386
sudo apt-get install libvorbisfile3:i386

So, how can we know if the files I download are safe or not?

I know this seems like more than one question, but I basically need this game to work, and so I just need know if I it is safe to install the packages mentioned or not.

Harsha
  • 508
  • This is a strange question, what is your actual question ? Do you want to know about a package you installed through apt-get ? Do some research, the Ubuntu repository's are well documented and controlled https://www.google.co.uk/search?client=ubuntu&channel=fs&q=libvorbisfile3%3Ai386&ie=utf-8&oe=utf-8&gfe_rd=cr&ei=mJZyVtzlO4W_oQfagYboCA or do you want to fix your game? you are using an unsupported driver, these two things are not related, please try to ask one question at a time so clear an concise answers can be given. – Mark Kirby Dec 17 '15 at 11:06
  • I'm sorry this seems like more than one question. I just need this game to work without my system potentially getting infected – Harsha Dec 17 '15 at 11:14
  • Also, I have made a simple search regarding the packages, but I couldn't really understand much of what I need from the search results. – Harsha Dec 17 '15 at 11:17
  • As a straightforward answer to the question's title: of course, depending on the sources you've added. – Jacob Vlijm Dec 17 '15 at 11:22
  • I'm no security expert, so someone else should really comment on that, but you must submit your software to the repos, it is not just for anyone who wants to upload something (think play store or Apple store), so it is safer than getting it from the internet. As for your game, I need to know, Your GPU and the current driver version you have and also is that on WINE ? The error box looks like Wine – Mark Kirby Dec 17 '15 at 11:23
  • Yes, it occured when I downloaded and ran the windows version. The package recommendation however is for the Linux version of it. Sorry that I got confused between those two issues. – Harsha Dec 17 '15 at 11:27
  • Why not get the Linux version ? WINE is not 100% and those packages won't effect the Wine version, it has it's own Windows stuff for running the game. That game is obscure and not even tested on winehq, so probably won't work. You should use Linux native software on Linux, every time. – Mark Kirby Dec 17 '15 at 11:31
  • Curl? That's not dangerous. – Star OS Dec 17 '15 at 11:39

1 Answers1

13

Is it possible to install a malicious program using apt-get? Sure, but that requires there to be malicious software in your computer's listed repositories. That can happen:

  • If you have added a malicious repository, it can provide malicious packages. PPAs, for example could contain malicious code. They can also provide any package (they could provide an ubuntu-minimal replacement that would infect everybody.

  • But not just PPAs. Software in the main repositories could be infected, either because the Ubuntu maintainer is hacked or disgruntled, or because the Debian upstream maintainer is hacked or disgruntled, or that the original developer is hacked or disgruntled and that bad code filters through uncaught.

  • Somebody has somehow managed to intercept your network traffic and has also somehow managed to either sign a packages' manifest or alter a binary package without altering the package checksum.

    Both are incredibly unlikely unless you've been adding random keys, but even then it's hard to do without being at least partially on-site. It's a pretty complicated hack to pull off.

But is any of that it likely here? Is it telling you to install malicious software?

No. It's just asking you to install 32bit versions of these libraries because it uses them but was compiled against their 32bit versions.

But what are they? libcurl3 is used for downloading things within an application and libvorbisfile3 is for decoding Vorbis-encoded audio.

The :i386 on the end of the package name means. It's specifying the architecture. In Ubuntu's case, we use i386 to mean 32bit, it's actually compiled with i686 processor instructions.

If you're going to be paranoid about anything, downloading and running a closed source binary from a random website is the real danger here.

Community
  • 1
Oli
  • 293,335