Security Considerations on Linux Package Management

Hello!I am Tharindu Edirisinghe

You can find me at ….

tharindue.blogspot.com @thariyarox https://lk.linkedin.com/in/ediri ediri@live.com

Source : http://www.slideshare.net/tshrinivasan/foss-history-1300788

Source : http://www.aboutlinux.info/2006/04/mind-map-of-linux-distributions.html

Linux family tree

Ubuntu packages and software repositories

PPA - Personal package archive A Personal Package Archive (PPA) is a special software repository for uploading source packages to be built and published as an APT repository by Launchpad. While the term is used exclusively within Ubuntu, Launchpad host Canonical envisions adoption beyond the Ubuntu community.Source : http://askubuntu.com/questions/4983/what-are-ppas-and-how-do-i-use-them https://en.wikipedia.org/wiki/Personal_Package_Archive

Installing ubuntu packages from official repo

sudo apt-get install <package name>

Installing a package from a ppaYou can add a PPA to your system with a single line in your terminal. Open a terminal and enter:

sudo add-apt-repository ppa:shutter/ppa

Now, as a one-off, you should tell your system to pull down the latest list of software from each archive it knows about, including the PPA you just added:

sudo apt-get update

Install Shuttersudo apt-get install shutter

Installing a debian package directly

sudo dpkg -i <package file>

APT (Advanced packaging tool)The Advanced Package Tool, or APT, is a free software user interface that works with core libraries to handle the installation and removal of software on the Debian, Slackware and other Linux distributions. APT simplifies the process of managing software on Unix-like computer systems by automating the retrieval, configuration and installation of software packages, either from precompiled files or by compiling source code.

APT was originally designed as a front-end for dpkg to work with Debian's .deb packages, but it has since been modified to also work with the RPM Package Manager system via APT-RPM.The Fink project has ported APT to Mac OS X for some of its own package management tasks, and APT is also available in OpenSolaris.

Source : https://en.wikipedia.org/wiki/Advanced_Packaging_Tool

Dpkg dpkg is the software at the base of the package management system in the free operating system Debian and its numerous derivatives. dpkg is used to install, remove, and provide information about .deb packages.

Source : https://en.wikipedia.org/wiki/Dpkg

Debian package structurepackage_name├── DEBIAN│ ├── control (meta data of the package)│ ├── preinst (execute before installing the package)│ ├── postinst (execute after installing the package) │ ├── prerm (execute before un-installing the package)│ └── postrm (execute after un-installing the package)│ └── /……. (folders and files following the linux file structure)

Source : https://www.hivelocity.net/kb/what-are-preinst-postinst-prerm-and-postrm-script-2/

demo

Creating a debian package

mkdir -p helloworld_1.0-1/usr/local/bin

cp ~/Projects/Hello World/helloworld helloworld_1.0-1/usr/local/bin/

mkdir helloworld_1.0-1/DEBIAN

vi helloworld_1.0-1/DEBIAN/control

dpkg-deb --build helloworld_1.0-1

Source : https://ubuntuforums.org/showthread.php?t=910717

Package: helloworldVersion: 1.0-1Section: basePriority: optionalArchitecture: i386Depends: libsomethingorrather (>= 1.2.13), xyz (>= 1.2.6)Maintainer: Tharindu Edirisinghe <ediri@live.com>Description: Hello World When you need some sunshine, just run this small program!

Useful commandsInstall a Debian (.deb) package

× sudo dpkg -i <package name>

List installed packages× dpkg -l <package name with/out wildcards>

Un-Install a Debian (.deb) package binaries× sudo dpkg --remove <package name>

Un-Install a Debian (.deb) package binaries and configuration files× sudo dpkg --purge <package name>

Debian packages example

referencesLinux Package Managementhttps://www.linode.com/docs/tools-reference/linux-package-management

Package Management Securityhttps://isis.poly.edu/~jcappos/papers/cappos_pmsec_tr08-02.pdf

Debian Packaging Tutorialhttps://www.debian.org/doc/manuals/packaging-tutorial/packaging-tutorial.en.pdf

THANKS!Any questions?You can find me at ….

tharindue.blogspot.com @thariyarox https://lk.linkedin.com/in/ediri ediri@live.com