One of the biggest drawbacks to Ubuntu’s new App Center, the Flutter-based replacement for GNOME’s Software Center, is that it doesn’t let you install DEBs downloaded from the web.
To be clear (since confusion often creeps in), the Ubuntu App Center does allow you to install DEB software as long as it’s in the Ubuntu repos. What it doesn’t currently do, which many software center incarnations over the years did, is ‘side load’ DEB packages.
But, at long last, this feature is coming.
On the App Center Github there’s been a spurt of activity in a pull request to plumb in support for installing DEBs using the App Center. This lets Ubuntu users do what they’re used to: download a DEB installer then double-click it to install via a guided, GUI process.
Obviously, given that DEBs aren’t sandboxed and could be made by/come from untrustworthy sources, the distro will educate users as/when they attempt to install DEB packages like Google Chrome, Discord, and Steam using App Center with warnings:
There’s likely to be some gasping and pearl clutching at word DEB installer support is in the works. Some frame making it easier for Ubuntu users to install DEB packages they (choose to) download from the web as tantamount to ‘encouraging’ it.
Which, as the warnings the distro will show to users when ‘side-loading’ a DEB package make clear, has potentially severe security implications.
DEBs aren’t sandboxed and get unrestricted root access to a user’s system. Plus, unlike DEB packages in the Ubuntu repos, 3rd-party DEBs downloaded from the web are not vetted, can be produced by anyone, and could contain anything. It’s a valid fear.
At least in theory?
People Use DEBs, Get Over It!
In all the time I’ve been blogging about Ubuntu —16 years— I can’t recall any widespread and/or recurring incidents involving dodgy DEBs stuffed with malware and masquerading as other apps. It could be done, but generally, it hasn’t been.
Why? Speaking from experience, making a working, valid DEB package isn’t a low-effort task: it takes time. Even then, making the DEB is one thing, getting people to discover and install it? Harder than uploading to a store which will surface it to users for you.
Anyway, in 2024, the vast majority of 3rd-party DEB installer Ubuntu users download from the web are not cribbed from backwater channels, dodgy sources, or obscure websites.
Most Ubuntu users simply want to install a DEB from a company, developer, or service they (to varying ethical degrees) feel they can trust, like Google, Discord, Steam, Zoom, Microsoft, Proton, etc.
Everything else? These days, that tends to come from the Ubuntu repo, the Canonical Snap Store, Flathub, nix, and other more modern, segregated software mechanisms.
Those of us who already know how to install DEBs through other means (CLI, etc) don’t need this, and a few may argue that gatekeeping the secret of side-loading is a security boon, but I disagree.
I don’t see how re-implementing support for 3rd-party DEB installs using a GUI — a feature Ubuntu has had since 2004 — will somehow ignite an arms-race in DEB-packaged malware that has, in 20 years to date, failed to materialise.
So in all, I welcome this — and the good news is that because App Center is a snap this feature will be available to users on Ubuntu 24.04 LTS, not just those who install or upgrade to Ubuntu 24.10 later this year.
- You can still do that in Ubuntu 24.04 LTS if you install Gdebi first, but that’s not a tool which is preinstalled by default, and it sits in the universe repo, not main. ↩︎