It is a common misconception that there are no viruses on Linux. The fact is: they do exist. Even though it's possible for you to check through your program files to find the infected file, it could take you months before you realize that your Linux system has been compromised.

Trust is a delicate thing, and you shouldn’t just give it away easily. Just because something has been provided on the internet does not mean that you can trust it. You need to take certain steps to safeguard your OS and yourself.

The security risks of negligence range from information theft and getting viruses, to having unauthorized user access to your Linux machine. Therefore, this article lists secure ways to download software on Linux.

1. Check the Hash Value

A hash value (or checksum) is an alphanumeric string of characters produced when some data is passed through a cryptographic function. It acts as a digital signature to your file.

To ensure that you haven't downloaded a corrupt file, a number of open-source sites usually provide an expected hash that you should get after you finish downloading the file. Let’s take an example.

Suppose you are downloading Tomcat 10, which is a popular web server. The hash value for Tomcat version 10.0.6 is: 

        3d39b086b6fec86e354aa4837b1b55e6c16bfd5ec985a82a5dd71f928e3fab5370b2964a
    
        5a1098cfe05ca63d031f198773b18b1f8c7c6cdee6c90aa0644fb2f2 *apache-tomcat-10.0.6.tar.gz

The section *apache-tomcat-10.0.6.tar.gz is just the file name. The values from 3d39...2f2 comprise the hash value.

To get this value, you need go to the directory where you have downloaded the archive file and run the following command: 

        sha512sum apache-tomcat-10.0.6.tar.gz

You should get the hash value mentioned above. If you get a different value, it means that your download was corrupted and you need to immediately delete it.

In this particular example, the hashing function we have used is sha512. That’s because this is the function that the Apache Tomcat foundation decided to use to protect the integrity of their downloads.

Tomcat 10.0.06 download-

Other sites may use different hashing functions, such as the popular sha256 and sha384 functions.

In case the website is using other hashing functions, all you need to do is replace the name of the command with the hashing function. 

        sha256sum filename-of-download
sha384sum filename-of-download

It is also worth noting that the file we have used is a TAR file( i.e. an archive file). But what if you have downloaded a binary file instead? The good news is that on Linux, you would get the same hash result irrespective of the file type.

The default mode of the hash functions on Linux is text. Therefore, to switch to binary mode, use the -b option as follows: 

        sha256sum -b filename

2. Use Safe Sites

Getting your downloads from safe sites greatly reduces the risk of getting malware. As a rule of thumb, you should always use the official download site of the software you wish to download. If for some reason you are unable to find the official website, then consider using a trusted site.

Download sites like FileHorse and SourceForge are examples of trusted sites that you can visit. These sites have been around for a long time and have earned the trust of their users.

3. Compile the Source Code on Your Own

One of the biggest reasons why the open-source community exists is that you don’t have to put your trust in big software companies and hope that they aren’t doing anything unauthorized on your PC.

When you download binary files, you have given some power to whoever compiled the code. But if you have access to the source code, you can take the power back in your own hands.

With open-source, you can independently verify that the software does exactly what its author says. The only drawback to this is that you need to have above-average programming skills. You will also need to be well learned in the given subject area.

You can also decide to be strategic and only check through key files of interest.

As an example, say you have got some C source code cloned from a GitHub repository. Below is how you would compile it on your own.

Run the command below to install the build-essential package. The package contains important tools that are necessary while building software on Linux. 

        sudo apt-get install build-essential

Now compile the C code using the gcc compiler. 

        gcc program-name.c -o program-name

After compilation, you can run the program by typing: 

        ./program-name

4. Use an Official Package Manager

The easiest way to install, update, and uninstall software is by using a package manager. There are a number of them such as pacman, dpkg, DNF, and APT. Package managers work directly with official software repositories and app stores.

Package managers do a lot of heavy lifting for you. They handle the standard operations like managing the dependencies that the software needs, ensuring the integrity and authenticity of the download, and managing versioning.

Another good thing is that your distro usually ships in with a package manager pre-installed. For example, Debian 10 comes with APT and Arch-based systems come with pacman.

5. Personal Research

The software world is an ever-changing place and keeping up with security trends is a key aspect in safeguarding yourself. There are several installation options that you can choose from in different scenarios. For example, installing software on a virtual machine or using app containerization.

App containerization is a particularly exciting trend because it ensures that your apps run in the same way in different execution environments.

Being able to isolate the execution of the software core and dependencies from the underlying infrastructure provides unprecedented security. For example, you only need to worry about verifying the security of your dependencies once and then expect this to resonate across different environments.

It is also a good practice for you to look at software reviews and follow discussions on GitHub. Software reviews give you a good picture of what you should expect after a download, unexpected behavior that users might have observed, and their recommendations.

github discussions webpage

GitHub discussions can also make you aware of what proactive measures you should take after/during the software installation. You can also get a host of other security considerations not included in the official documentation.

You should also take notice of forks with many contributors on GitHub. There may be protocol changes taking place, and your inability to keep abreast with these updates will compromise your security.

Recommendations and Good Practice

It is always a good practice to first update your system's packages and repository list before downloading any major software. Every package manager, pacman in Arch Linux for example, offers you the option to install, update, and remove packages.

After ensuring that the installed packages are up to date, you can move on and download the software you need. Whenever possible, if you can download a package using your package manager, then do so. This is the easiest and the most secure way of installing and updating software on Linux.