[mihaifm]

Can anyone clarify if this is a possibility for apt packages as well? As far as I understand, there are 4 types of apt repositories (for Ubuntu): Main, Universe, Restricted, Multiverse.

I guess Main is safe since it's handled by Canonical, but the rest?

Moreover, a lot of installers simply add a custom repository to sources.list.

What are some good practices for a novice user, regarding apt?

[matthewbauer]

So, most source-based package managers are going to have higher standards & catch something like this. Not every line is going to be audited, but demanding free licenses, active git repos, and wide userbase goes a long way to keep stuff clean. Obviously many valuable packages are left out & you will be tempted to install the .deb files.

I would say if you are at all concerned about safety: don't install apps through .deb file that developers sometimes push. They are generally safe, but there is always a potential that these files are malware.

For instance, lots of people use Atom as their text editor, but Atom does not make it possible/easy for packagers to build Atom from source[1]! Everything used to come with a configure, build, & install script, but I guess it's not hip enough anymore.

[1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=747824

[mihaifm]

Indeed, building from source is falling out of fashion, with everyone creating a package manager these days. I find some of these very opaque, for example Rust has it’s own package manager which downloads and runs binaries at its own discretion.

https://github.com/rust-lang-nursery/rustup.rs