Safety of the Debian repository
The Debian Security Team does not review all packages before upload because they are a small group of volunteers and there are over 67,000 packages in the archive. I'm not aware of any other Linux distro (or other major project or distributor) that has such a procedure, either.
However, the Debian build daemons do build every package from its source, so you can download the source package (with apt-get source PACKAGENAME
) and verify the tarball and patches are as you expect them to be. All source packages are cryptographically signed, as is the archive, so you can be sure that the packages have not been modified from the source that was uploaded.
Debian also has an initiative to build all packages reproducibly so that you can produce a bit-for-bit identical package on your own and verify that nothing has been tampered with. There is a list of packages which do and don't build reproducibly.
In general, Debian is widely considered a trustworthy source of binaries and numerous major organizations use it, although of course you must make your own determination. If you really need every binary and binary package audited, then you'll have to manage that yourself, since I'm not sure that any OS distributor of any size provides that service.
https://wiki.debian.org/DebianMentorsFaq and https://warlord0blog.wordpress.com/2018/05/08/repository-not-trusted show the maintainers exercise caution.in the maintenance of their repository and have a process to alert you to potentially hazardous conditions.
I agree with you regarding the advantages of using .deb packages.
I asked two questions with answers that describe the security-related aspects of Debian's repositories:
- Who builds the Debian packages? (a good introduction to the packaging process)
- "Do package managers check the hashes of packages?" (duplicate) -> How is the authenticity of Debian packages guaranteed? (here you can probably find the answer you're looking for)
For reproducible builds I think what it needs to make it useful in practice before 100% of packages are reproducible is a convenient way to check which of all of the currently installed packages are not reproducible in addition to the vrms
tool that checks for installed non-free software:
"How to list which unreproducible packages are installed on a Debian system?"