Why did apt-get install Virtual Box instead of g++?

Question

I just came across something that I wonder could possibly be a major security issue with the Linux terminal. I was trying to install g++ 5.0. I'm a newbie to Linux, so I just typed sudo apt-get install g++ 5.0. Instead of just returning an error or something, it installed Virtual Box!

If I try to install one thing from the terminal and it install something completely different, does that mean it could happen to something else, possibly malware? Why would it install Virtual Box when I typed something completely different, anyway?

Answer 1

The command

sudo apt-get install g++ 5.0 

indicates you want to install two packages: g++ and 5.0. (Package names don't have spaces, and apt-get accepts multiple package names, separated by spaces.)

What probably happened is that it installed g++ as requested, then installed all packages (including version numbers) that match the regular expression 5.0 (since there's no package actually named 5.0). (thanks @edwinksl!)

To avoid this, make sure you have the correct package names, without spaces. You can also use the -s option to simulate an apt-get action before doing it for real:

sudo apt-get -s install g++ 5.0

will show you the actions that the command would perform, without actually installing anything. If it looks OK, you can remove the -s to perform the installation.

You could also consider using a more newbie-friendly graphical package manager, such as synaptic or muon.

Answer 2

The correct command to install g++ version 5.x is:

sudo apt-get install g++-5

This will install g++ version 5.3 on xenial, which is the current default (so apt-get install g++ installs it as well, but this will change in the future). In fact, there is no public 5.0 release of GCC. Other g++ releases are packaged, e.g. g++-4.9 or g++-6, which can be installed in the same way.

If you ever need to install a specific (existing) release of g++ which is not packaged for your system, you'll have to build it from sources.

Answer 3

Let's break it down.

First of all, few notes on how apt-get install (and most other apt-get arguments too) works:

• You can input multiple package names:

  sudo apt-get install foobar spamegg 
  

• The package names are actually Extended Regular Expression (ERE) (Check man 7 regex) patterns so a package name foo.bar means any package name that has a substring that starts with foo and ends with bar with any single character between foo and bar. Likely f.*r means any package name that contains a substring that has f and r with any number of characters i.e. anything in between. To do the whole package name matching, use start and end tokens e.g. ^foo.bar$. If you want any Regex token to be treat literally then you need to escape the token with \ e.g. for treating foo.bar literally, you need:

  sudo apt-get install 'foo\.bar'
  

  Here the single quoting is to prevent shell interpretation of the pattern as a globbing pattern, not necessary in this case but would be needed e.g. for pattern foo.*bar if you have a file in the current directory named e.g. foo.bar.

• There is a catch on the package name consideration. If there is any package matching the pattern, the pattern will be treated literally and no Regex interpretation will be done. For example, for a package pattern g++, it will match the package g++ literally irrespective of the Regex token +. If there were no package named g++ in the defined repositories, it will be treated as a ERE pattern.

Now, you have given the command:

sudo apt-get install g++ 5.0

This means:

• You want to install two patterns provided packages namely g++ and 5.0

• g++ matches the literal meta-package g++ as mentioned above

• The remaining portion, 5.0, has a Regex token, . i.e. any single character. So this will match any package name that contains 5<any_character>0. So all the packages that have the match has been selected to be installed and presumably virtualbox-5.0 has also been selected in the process.

Presumably you want to install g++ version 5, so doing the following would do(already mentioned in this answer); The meta-package, g++-5, will refer to the latest available minor released package of g++ version 5:

sudo apt-get install g++-5

To search for any packages, within the configured repositories, use apt-cache (uses ERE like apt-get):

apt-cache search 'g\+\+-[0-9]+'

If you do not want to Regex-ify it, use less to scroll down the rather larger list:

apt-cache search g++ | less

Also before installing anything you are not sure about, do not use -y (--assume-yes) option and test it first with -s (--simulate/--dry-run):

sudo apt-get install --dry-run foobar