Ubuntu – Is it safe to run apps that need no installation

Securitytelegram

I have Ubuntu 14.04 LTS

I have downloaded Telegram from here. The file was compressed with the extension tar.xz.

I have unpacked this file and run the file Telegram (without extension) using common user (not admin). The application started and worked OK.

But why does Ubuntu not tell me, "Don't run this app, because it is not safe"?

Is it really safe to run such applications, which do not need installation, which run easily when double clicked?

And what are apps like this called? What name do they have? “Portable”?

Best Answer

The file is a binary executable. It has already been compiled from its source code into a form your CPU can execute and you only have to ask for it to be executed for it to run.

The software you download when you run a package manager such as APT in general also includes pre-compiled binaries, so there's nothing peculiar about this type of file. The packaging of the files does helpful things like telling the package manager where in the filesystem the binaries need to be copied to, and provides scripts that make sure the program can find any shared libraries and other programs it depends on and the environment it requires is set up if needed.

The reason you might consider this program unsafe is that it comes from an unknown source, whereas packages from Ubuntu repositories are from a known source and protected by a signature verification process that ensures they haven't been tampered with on their way to your system.

Basically, downloading and running executables from unknown sources is insecure, unless you trust the provider and you can verify that the download reached you intact. To the latter end, distributors may provide some kind of checksum you can use to check that the file they uploaded has the same content as the one you downloaded.

One encouraging thing about Telegram in particular is that it is open source:

This software is available under GPL v3 license.
Source code is available on GitHub.

This means anyone can read the program's source code to make sure it won't do anything undesirable to your system. In practice, reading the source code to make sure the program is safe isn't something most end users want to spend time doing or learning how to do. Still, I have some faith in the involved community to find security vulnerabilities and bugs in open source software.

As for why Ubuntu doesn't complain that the program is unsafe, well, badgering the user about their questionable decisions isn't the Linux tradition. A Linux system is typically designed to do what you ask it to, and nothing else. The user is considered responsible for having awareness of security issues and other potential pitfalls and will rarely be warned that they are about to compromise or damage their system.

I use a PPA for Telegram see this answer for all the ways to install Telegram. PPAs use APT's signature verification mechanism, but they still have some risks because you are putting your trust in the maintainer. PPAs do provide some convenience, updating when you run updates (if the maintainer updates the PPA), making the package manager aware that you have the software and so on.