this post was submitted on 21 Mar 2026

45 points (95.9% liked)

Linux

64004 readers

926 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
No misinformation
No NSFW content
No hate speech, bigotry, etc

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 6 years ago

MODERATORS

AgreeableLandscape@lemmy.ml

nooter692@lemmy.ml

MarcellusDrum@lemmy.ml

cypherpunks@lemmy.ml

cyclohexane@lemmy.ml

d3Xt3r@lemmy.nz

Is it safe to assume that all apps from the software store (Discover in my case) are safe? (lemmy.org)

submitted 2 days ago by Cekan14@lemmy.org to c/linux@lemmy.ml

36 comments fedilink hide all child comments

Hi, there!

Newbie question here: basically, the title. Perhaps what I'm asking is pretty obvious, but I'd like to double-check with the community on this.

I use Discover on my Debian KDE Plasma set-up, with Flatpaks enabled (but not Snaps). Sometimes, I come across apps (I did just yesterday, searching for translation apps to replace DeepL), that have according to its page, an unknown author and, sometimes, even an unkown licence, but which do require access permission to the whole system (this latter requirement applying specifically to Deb packages, from what I've seen).

Under these circumstances, is it safe to assume that such apps will still be safe because of the fact that they appear listed on Discover (in other words, is Discover a guarantee of safety for the apps it shows, as in, some type of checked or proved content), or should I still be wary of potentially malicious software included on it?

Thank you very much in advance :)

you are viewing a single comment's thread
view the rest of the comments

[–] Cekan14@lemmy.org 3 points 2 days ago (2 children)

Thank you for your insightful comment. If I may incur once again in noobieness, what precisely do you mean when you say the "repository" of my distribution? Do you mean the pieces of software than come preinstalled with the OS itself?

[–] ardorhb@discuss.tchncs.de 3 points 1 day ago

I think others have answered your question here quit well, I hope you're not overwhelmed by all of this.

[–] banazir@lemmy.ml 4 points 1 day ago* (last edited 1 day ago) (1 children)

A repository (or repo) is a server that hosts program files for your distribution. Distributions host their own repositories from which you can install software with your package manager, like APT or DNF or others. If you only install software from your distribution's repository, there's likely no clashes with software versioning and dependencies, and the packages are about as reliable as they can be (which doesn't mean there's never malware). If you add third party repositories for software not available from your distribution's repository, it's more likely there will be issues, because the distribution doesn't guarantee the packages work well together.

For example, Debian and Arch don't retrieve and install their software from the same source. They have their own servers (repositories) hosting software compiled to work with their particular distro and to be used by their chosen package manager.

Flatpak (or Snap or Guix) is a separate package manager that handles it's own dependencies and doesn't clash with your distribution's own software manager.

Does this help?

[–] Cekan14@lemmy.org 4 points 1 day ago (2 children)

Hi! Thank you for your reply. So, if I understood correctly, whenever I click on "Install from Debian/GNU Linux" on Discover I am getting software directly from Debian's repository (thus, a "repository" in the sense that it's a place where this software is stored and can be retrieved); same thing when clicking on "Install from Flathub" for a Flatpak from Flathub. This does seem like the safest approach in the sense that it's the less risky one and, if malware did slip through, such as the XZ backdoor, at least it would not have been due to a personal mistake of mine, but a general one which would've affected much more people too.

This, in turn, is different from APT, which is not Debian's repository, but Debian's package manager. So, technically, I could write "sudo apt install (anything)" to get any piece of software from Debian's repository indeed, but I could also use that command to get software from somewhere else also in the form of a Deb package but which would not have come from Debian itself.

Did I get this right?

Thanks a bunch.

[–] banazir@lemmy.ml 5 points 1 day ago (1 children)

It may be a lot to take in at first, but seems to me you've got it!

[–] Cekan14@lemmy.org 3 points 1 day ago (1 children)

Thanks to you all for helping me understand it :)

[–] ozymandias117@lemmy.world 2 points 1 day ago* (last edited 1 day ago)

Maybe to help, you can see where you've enabled "repositories" that APT can download from in /etc/apt/sources.list and /etc/apt/sources.list.d

As long as you haven't manually installed a .dpkg package, or manually modified it, they should be something like

deb.debian.org security.debian.org

Some things like Slack may try to add their own repositories down there

When you type "sudo apt install" it is allowed to install from any configured repos down there

[–] IsoKiero@sopuli.xyz 3 points 1 day ago

This, in turn, is different from APT, which is not Debian’s repository, but Debian’s package manager. So, technically, I could write “sudo apt install (anything)” to get any piece of software from Debian’s repository indeed, but I could also use that command to get software from somewhere else also in the form of a Deb package but which would not have come from Debian itself.

With apt (and discover which uses apt/dpkg at the background) you can install anything from repositories configured on your system. So, if you want to use apt to install packages not built by Debian team you'll need to add those repositories in your system, so they don't just appear out of nothing.

Some software vendors offers .deb packages you can install which then add their own repository on your system and then you can 'apt install' their product just like you would on native Debian software and the same upgrade process which keeps your system up to date will include that '3rd party' software as well. Also some offer instructions on how to add their repository manually, but with a downloaded .deb it might be a bit easier to add repository without really paying attention to it.

Spotify is one of the big vendors who have their own repository for Debian and Ubuntu and with Ubuntu there's "ppa" repositories, which are basically just random individuals offering their packages for everyone to use and they are generally not going trough the same scrutiny than official repositories.