-2

If a newer version for a package was missing in my Debian or Ubuntu distribution, for many years, I would visit https://launchpad.net/ubuntu or https://packages.debian.org, search for the package, download a newer version, try to install it, and see whether it was compatible with my system. There never was any problem with this approach.

But now, on every browser I use, I'm told that the download is insecure. Some browsers don't offer me any way to proceed. Firefox tells me that it is insecure, but allows me to download the package nevertheless. (What I do.)

As I underestand, the links provided on the two pages I mentioned, are the same as are used by apt on Ubuntu or Debian.

My suspicion: There wasn't any change which would make my approach more insecure than using apt, but just a change in the way browsers allow you to do what you want to do.

Please, correct me if I'm wrong.

Update: I was told that my question was answered in Are repository lists secure? Is there an HTTPS version?

Sure, the questions are related, but my question wasn't answered there:

  • My question was about browsers, not about apt. Since a few weeks (or maximum a few months) there is a change in the way browsers treat Debian and Ubunta webpages providing Debian packages.
  • The newest (updated) answer to the question in the link is from 2022. My problem only started at the end of 2025.
  • The question provided is about the security of apt using http instead of https sites. My question is about the security of webpages provided by Debian or Ubuntu. If those pages are insecure: Why are they still provided as is?
  • The main answer provided tells us that apt supports https. ("APT does work over HTTPS and you can use HTTPS in an APT sources entry to apply another level of assurance to your connection (if the repository you're using supports it).") But I tried to access package links on the two pages I mentioned, and neither supports https connections.

Again: The questions are obviously related but not the same. The answers provided in the link throw a light on my question, but don't answer it.

Improve this question
6
  • 2
    This question is similar to: Are repository lists secure? Is there an HTTPS version?. If you believe it’s different, please edit the question, make it clear how it’s different and/or how the answers on that question are not helpful for your problem. Commented Dec 26, 2025 at 7:00
  • 1
    The browser does limited checking of what type of file it is, and whether or not it's signed when created.. and now gives a warning regardless of internals.. which makes sense in one way, as you may use the package (after download) in a way where the internal cryptographically signing isn't checked anyway... ie. safe or dangerous will ultimately depend on how you use the download (not the download itself) Commented Dec 26, 2025 at 7:03
  • Your recent edit that you posted five minutes ago convinced me that your question is not a duplicate of the question that @guiverc linked to in his comment. Commented Dec 26, 2025 at 8:25
  • "I'm told that the download is insecure" This sentence is very vague. Please show us a screenshot of the message. Also, check the date&time of your system. What is the output of the command timedatectl? Commented Dec 26, 2025 at 8:55
  • @guiverc Thanks for your second answer! I downloaded a package linked on packages.debian.org. On the webpage there was provided a MD5 checksum. I used md5sum, and it provided the same checksum. What are the reasons I should be still more worried than by just trusting apt? Commented Dec 26, 2025 at 9:13

1 Answer 1

Reset to default
3

Your understanding is basically right.

Nothing has suddenly become less secure in Debian or Ubuntu themselves. What has really changed is how web browsers behave, not how Linux packages are protected.

Earlier, browsers were relaxed about downloading files over normal HTTP. Now, modern browsers are much stricter. If you try to download a .deb file over HTTP, they warn you or block it because the connection is not encrypted. From the browser’s point of view, any software downloaded over HTTP could be modified while travelling over the network. However, Debian and Ubuntu never depended on HTTPS for security in the first place.

APT uses a different security model. Every repository and package is cryptographically signed. When you install a package using apt, it checks the signature and verifies the checksums. If anything was altered, apt will simply refuse to install it. This protection works even if the download happens over plain HTTP.

So the same file can look:

unsafe to a browser, because the browser only sees an unencrypted download

safe to APT, because APT verifies the signature and integrity

When you manually download a .deb file in a browser, the browser does not verify Debian/Ubuntu signatures. That’s why browsers warn you — not because the package is bad, but because they cannot validate it the way apt can. Your old workflow wasn’t really dangerous, but it was never ideal either. Manual .deb installs bypass dependency handling, upgrades, and signature checks unless you verify them yourself. It worked in practice, but it was always more fragile than using apt.

So yes, your suspicion is correct:

Debian and Ubuntu repositories are still secure

APT security has not changed

Browsers have become more strict and opinionated about what they allow you to download.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.