dget

Download a binary package

$ dget [package]

$ dget [http://deb.debian.org/debian/pool/main/h/haskell-tldr/haskell-tldr_0.4.0-2.dsc]

$ dget [[-d|--download-only]] [http://deb.debian.org/debian/pool/main/h/haskell-tldr/haskell-tldr_0.4.0-2.dsc]

dget [options] <.dsc file or URL>

-u, --unpack
    Unpack the source package after downloading all components.

-d, --download-only
    Download files but do not unpack the source directory.

-x, --extract
    A synonym for --unpack.

-q, --quiet
    Suppress most output, only showing errors.

-P <path>, --destdir <path>
    Download files into the specified directory instead of the current working directory.

-S, --no-signature-check
    Do not check the GPG signature of the .dsc file. Use with extreme caution!

-D, --allow-less-secure-sha1
    Allow SHA1 checksums, which are considered less secure than newer hash algorithms.

-T, --allow-v1-hash
    Allow MD5 or SHA1 hashes, which are older and less secure formats.

-l, --allow-unauthenticated-dsc
    Allow unauthenticated .dsc files. Implies --no-signature-check. Highly discouraged!

-C <level>, --check-dirname-level <level>
    Control the strictness of directory name checking (e.g., for security checks on unpacked directory names).

-h, --help
    Display a help message and exit.

-v, --version
    Display version information and exit.

dget is a utility from the devscripts package that simplifies downloading Debian source packages. It takes a .dsc file (either a local path or a URL) as an argument. It automatically downloads all associated files mentioned in the .dsc file, such as the original upstream tarball (e.g., .orig.tar.gz) and the Debian-specific diff (e.g., .debian.tar.xz). By default, it verifies cryptographic signatures (GPG) to ensure the integrity and authenticity of the source package.

After downloading, it can optionally unpack the source tree into the current directory, making it ready for inspection, patching, or building with tools like debuild. It's an essential tool for developers and users who need to examine or recompile Debian packages from their original source code.

Using options like --no-signature-check or --allow-unauthenticated-dsc bypasses crucial security checks, potentially exposing the user to malicious or tampered source code. Always verify the authenticity of source packages, especially from untrusted sources. `dget` relies on internet connectivity to fetch URLs and may require proper APT configuration for resolving package names if not provided with a direct URL.

A .dsc (Debian Source Control) file is a plain-text file that describes a Debian source package. It lists the package name, version, architecture (source), maintainer, build dependencies, and most importantly, the names and checksums of the other files that make up the source package (e.g., .orig.tar.gz, .debian.tar.xz, .diff.gz). `dget` parses this file to determine exactly which files to download and how to verify them.

By default, `dget` attempts to verify the GPG signature of the .dsc file. This cryptographic verification ensures that the file has not been tampered with and originates from a trusted source (typically a Debian developer's key or an official archive key). If the signature is invalid, missing for a file from a trusted repository, or if the key is not trusted, `dget` will typically fail and alert the user to a potential security issue, preventing the download of potentially compromised sources.

dget is an integral part of the devscripts package, a suite of tools primarily used by Debian developers and maintainers. It has been a standard utility within the Debian ecosystem for many years, evolving alongside Debian's packaging formats and security practices. Its primary role has consistently been to simplify the process of obtaining and preparing Debian source trees for further development or inspection.

apt-get source(1), dpkg-source(1), debuild(1), gpg(1)