Offline packages installatiion

[Larry78723]

It's safe to do it that way as long as no additional packages are required.

[Termy]

I'd go a step further by saying it's perfectly fine to get packages yourself then install them on- or off-line, provided they are valid packages for your system and don't conflict with existing packages, although that latter point should be handled by APT anyway. I mean, APT is already getting these packages, so you'd just be cutting out the middle-man.

It wouldn't bother me to, for example, manually download a package update from Ubuntu's own servers, then install it on my system via dpkg(1), provided — again — it's a valid package for my system.

BTW, you might also like this link: http://packages.linuxmint.com/pool/main

You can download all (packages supported by all architectures) Debian packages from there, with:

Code: Select all

wget -r -A _all.deb -A _amd64.deb -nd http://packages.linuxmint.com/pool/main

With that, you could make your own lil offline repository, but of course, it won't be automatically kept up-to-date. If you have an offline-only machine, this could be very useful. It's slow, but it works, at least when I tested it. Only do this if you need all or most of the packages, else you're hammering their servers for no reason.

[SimonPeter]

You can download all (packages supported by all architectures) Debian packages from there, with:

Code: Select all

wget -r -A _all.deb -A _amd64.deb -nd http://packages.linuxmint.com/pool/main

It's slow, but it works, at least when I tested it.
Only do this if you need all or most of the packages, else you're hammering their servers for no reason.

Needless to say, it would take up a LOT of data (I suppose something like the 100s of GBs). It would also give undue load to the server at http://packages.linuxmint.com/pool/main .

When your system's apt (the package manager) uses this http website, it cryptographically verifies the package's digital signature after downloading the package, thereby eliminating the need for https and making the package cryptographically verified.
This method employed by apt is very secure for its purpose of package management.

Code: Select all

wget -r -A _all.deb -A _amd64.deb -nd http://packages.linuxmint.com/pool/main

But, THIS COMMAND wouldn't be secure (using http instead of https and not verifying signatures afterwards) - and some man-in-the-middle attacker (may even be your ISP, your WiFi provider etc.,) can crack it.

This command doesn't work for me. It just fetches "index.html.tmp" and removes it "since it should be rejected" -- continues this in an indefinite loop -- wasting my data and giving unnecessary load to the server.

Code: Select all

2021-07-31 11:01:17 (1.86 MB/s) - ‘index.html.tmp’ saved [4449/4449]

Removing index.html.tmp since it should be rejected.

--2021-07-31 11:01:17--  http://packages.linuxmint.com/pool/main/i/iso-localize/
Reusing existing connection to packages.linuxmint.com:80.
HTTP request sent, awaiting response... 200 OK
Length: 1985 (1.9K) [text/html]
Saving to: ‘index.html.tmp’

index.html.tmp                        100%[=======================================================================>]   1.94K  --.-KB/s    in 0s      

2021-07-31 11:01:17 (32.9 MB/s) - ‘index.html.tmp’ saved [1985/1985]

Removing index.html.tmp since it should be rejected.

--2021-07-31 11:01:17--  http://packages.linuxmint.com/pool/main/k/kcm-mdm/
Reusing existing connection to packages.linuxmint.com:80.
HTTP request sent, awaiting response... 200 OK
Length: 2166 (2.1K) [text/html]
Saving to: ‘index.html.tmp’

index.html.tmp                        100%[=======================================================================>]   2.12K  --.-KB/s    in 0s      

2021-07-31 11:01:17 (9.03 MB/s) - ‘index.html.tmp’ saved [2166/2166]

Removing index.html.tmp since it should be rejected.

[Moonstone Man]

Also, it wouldn't be secure as well (using http instead of https and not verifying signatures afterwards) - and some man-in-the-middle attacker (may even be your ISP, your WiFi provider etc.,) can easily crack it.

That's absolute FUD, to be honest. The reason that repos use HTTP is because HTTPS is not necessary as apt checks signatures. Packages are signed, whether they are manually downloaded over HTTP or by apt over HTTP, and signatures of manually downloaded packages can be checked with dpkg-sig.

Setting aside signatures, what is the probability that some middleman bad actor is monitoring the OP's connection to see if they manually download unknown package xyz so that the bad actor can insert their own copy of unknown package xyz? It's beyond absurd.

[SimonPeter]

The reason that repos use HTTP is because HTTPS is not necessary as apt checks signatures. Packages are signed, whether they are manually downloaded over HTTP or by apt over HTTP, and signatures of manually downloaded packages can be checked with dpkg-sig.

Yes, apt is so secure in its design and it doesn't need https (honestly, I think apt is more secure than https).

Code: Select all

wget -r -A _all.deb -A _amd64.deb -nd http://packages.linuxmint.com/pool/main

But, what I meant is that THIS command doesn't check any signatures and doesn't use dpkg-sig .

[newlyminted7]

Remember when the whole internet was http and only your bank used https? Ah, the good ol' days...

[Moonstone Man]

Code: Select all

wget -r -A _all.deb -A _amd64.deb -nd http://packages.linuxmint.com/pool/main

But, what I meant is that THIS command provided by @Termy doesn't check any signatures and doesn't use dpkg-deb .

Well of course it doesn't check the signature. wget is acting as the downloader, which is exactly all that wget does.

Code: Select all

boot@akhenaten:~$ man wget

WGET(1)                                       GNU Wget                                      WGET(1)

NAME
       Wget - The non-interactive network downloader.

[SimonPeter]

Code: Select all

wget -r -A _all.deb -A _amd64.deb -nd http://packages.linuxmint.com/pool/main

But, what I meant is that THIS command provided by @Termy doesn't check any signatures and doesn't use dpkg-deb .

Well of course it doesn't check the signature. wget is acting as the downloader, which is exactly all that wget does.

That is what I wanted to say -- Debian's apt is secure, but that specific (wget) command is insecure (in my opinion, it is similar to curl'ing and piping to sudo bash -- think of deb scripts like postinst, preinst ....)

[Moonstone Man]

That is what I wanted to say...

I'm out of this discussion. It's your responsibility to say what you mean, not mine.

[Termy]

...

I never said the wget(1) approach was perfect. I agree that it's not a secure approach, but, by that logic, neither is simply downloading the Debian packages directly from the same place it would be were you to get them via the link the OP posted. However, the OP stated "safe in terms of functionality".

It would surely have worked, had you waited for it to start downloading the Debian packages — as I said, it's slow. By all means, download each of the 70 packages yourself, one by one. I would have written a script to more efficiently get the files, but I didn't feel like faffing about with that, and I doubted the OP would be interested in that VS a short one-liner. I imagine wget(1) downloads the HTM/L files to determine the locations of the Debian packages, then discards the HTM/L files once they're no longer needed.

Regarding the use of HTTP, talk to the Linux Mint developers about it, because that's what they've chosen to use. Go through the link the OP posted, now right-click the direct-download link to the package 'blueberry'; notice how it's HTTP? That's how I got the link I posted.

[SimonPeter]

...

It would be better to verify packages with dpkg-sig before installing them.
sudo apt install dpkg-sig # To install dpkg-sig
dpkg-sig --verify <the_deb_file>.deb # To verify the package