One of the biggest drawback to Ubuntu’s new App Center, the Flutter-based replacement for GNOME’s Software Center, is that it doesn’t let you install DEBs you download from the web.
To be clear (since confusion often creeps in) while the Ubuntu App Center does allow you to install DEB software from the Ubuntu repos, it doesn’t (currently) let you ‘side load’ DEB packages yourself – which the myriad of software center incarnations over the years did.
App Center will warn users about the risks of 3rd-party DEBs when users go to install them
But good news: support for DEB installs in App Center is finally underway – as in working code, not promises that devs will get around to it one day!
Over on the App Center Github a spurt of activity plumbs in support for installing DEBs using the App Center — support which lets Ubuntu users to do what they’re used to: double-click on a DEB installer to install it using a guided, GUI process1.
Since DEBs aren’t sandboxed and can be made by/come from untrustworthy sources, Ubuntu wants to educate users when they attempt to install DEB packages using App Center with ample warnings and confirmation boxes: –
News that DEB installing is returning to Ubuntu will, no-doubt, cause some gasps and pearl clutching from some folks. Making it possible for Ubuntu users to install DEB packages they (want to) download from the web is often framed as ‘encouraging’ it.
Which, as the warnings the distro is displaying to users who use App Center to ‘side-load’ a DEB package make clear, there are potentially severe security implications.
DEBs aren’t sandboxed and get unrestricted root access to a user’s system. Plus, unlike DEB packages in the Ubuntu repos, 3rd-party DEBs downloaded from the web are not vetted, can be produced by anyone, and could contain anything. It’s a valid fear.
At least in theory.
Some People Use DEBs, Get Over It!
In all the time I’ve been blogging about Ubuntu —16 years— I can’t recall any widespread and/or recurring incidents involving dodgy DEBs filled with malware and masquerading as other apps. It can be done but, generally, it hasn’t.
Most 3rd-party DEBs come from reputable sources, like Google, Valve, Proton, et al
Same can’t be said of other formats.
So why has DEB malware not, to date, materialised en-masse to infect us all?
Speaking from experience, making a valid DEB package isn’t a low-effort task: it takes time and know-how. Even then, making a DEB is one thing, getting people to find and install it? Harder than uploading to a store which suggests it to users on your behalf!
And now the window of opportunity has more than likely passed. In 2024, the vast majority of 3rd-party DEB installers that Ubuntu users download from the web don’t come from IRC channels, random forums, dodgy repos, or obscure websites.
These days the only real “source” of DEB packages are direct from software companies themselves which (to varying ethical degrees) users do feel they can trust, e.g., Google, Discord, Steam, Zoom, Microsoft, Proton, Mozilla, etc.
Everything else comes from the Ubuntu repos, the Canonical Snap Store, Flathub, Nix, or other modern software mechanisms that have (varying) security safeguards and barriers to entry. It’s increasingly rare for regular, less-savvy users to need to use a DEB.
Ubuntu supported third-party DEB installs since 2004; enabling it in App Center won’t suddenly result in an influx of DEB malware
Folks who already know how to install DEBs through other means (CLI, etc) may not care for this, and a few may may argue that gatekeeping the secret of side-loading is a security boon, though I’d disagree.
I don’t see how re-implementing support for 3rd-party DEB installs using a GUI — a feature Ubuntu has had since 2004 — will ignite an arms-race in DEB-packaged malware given, in 20 years to date, that has failed to occur.
So in all, I welcome this. Snobs may sneer at those who need (or want) to use Google Chrome, Steam, Microsoft Edge, Discord, or any other software distributed as and supported by its upstream vendor in DEB format — pragmatism trumps dogmatism.
When will it land?
The good news is that since App Center is a snap this feature will be available to Ubuntu 24.04 LTS users, not only those who upgrade to Ubuntu 24.10 later this year. Since the update will arrive silently in the background, I’ll put a post out when it’s live so you know!
Finally, if you want to try DEB installation in App Center right now now, you can: switch to the snap-store package to the --edge channel – just keep in mind this channel is not stable and may introduced as many bugs as have been fixed!
- You can still do that in Ubuntu 24.04 LTS if you install Gdebi first, but that’s not a tool which is preinstalled by default, and it sits in the universe repo, not main. ↩︎