Can installing an unknown deb package using sudo dpkg be harmful?
Yes, packages can contain “maintainer scripts” which are run before and/or after installation. You can see the scripts, if any, by extracting the control archive from the package:
dpkg-deb --ctrl-tarfile package-name.deb > control.tar
tar tf control.tar
or, if you know you want to extract the control archive’s contents:
dpkg-deb -e package-name.deb package-control
(which places the extracted files in a directory named package-control
).
They run as root and can do whatever the package author wants on your system.
You should really consider that installing a package is equivalent to granting the maintainer (and anyone else involved in the package’s maintenance and build) root access to your system. Who do you trust?
Even forgetting maintainer scripts, the package might install a Cron script that runs every minute, and the minute might tick over in-between you installing and uninstalling the package.
Or it might install a program at /bin/python
for example (which will be used in preference to the real /usr/bin/python
) and then some background process might try to launch Python.
Or it might install a program at /bin/dpkg
so that when you try to remove it you're actually just running it.