Results 1 to 6 of 6

Thread: Official repositories always secure?

  1. #1
    Join Date
    Nov 2010
    Beans
    38

    Official repositories always secure?

    I understand that it's up to the user to decide whether to trust a PPA they add. What about the official repositories. Is all software in those is checked "officially" ? Is software there compiled from sources after a check, and is there is a check before an update included?

  2. #2
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: Official repositories always secure?

    Nothing is always and there are security vulnerabilities in the official repositories. This is why we have regular security updates and why an installed and updated version of Ubuntu is more secure then a live CD, which lacks the most recent security patches.

    http://www.ubuntu.com/usn

    But ...

    The official repositories are watched by many.

    The ppa are watched by some, but less people then the repos.

    3rd party projects vary. large projects (gnome , KDE, kernel) are watched by many, small projects are watched by few or none. Some third party repos are closed source (nvidia as one example, parts of Virtualbox as another).

    If you are not going to trust the repositories of major distros such as Debian, Fedora, Ubuntu, SUSE, Centos, Slackware, Gentoo, etc then you will have to go with LFS and review the source code for yourself, which means the code is reviewed by one, you.
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  3. #3
    Join Date
    Nov 2010
    Beans
    38

    Re: Official repositories always secure?

    I can appreciate the scientific carefulness in making absolute statements.

    I was aiming for a more colloquial "always". Security vulnerabilities (unintentional) aside, what about malware? If I randomly go around the internet, installing everything I can find on a windows system, malware infection is very likely. If I do the same with ubuntu, manually adding .debs and PPAs, infection is perhaps less likely because there's not much malware for linux around, but it's not a very smart move anyway.

    Correct me if I'm wrong, but the purpose of the official repos on the other hand is to be a safe source for software for any purpose. Having said that, I'm not sufficiently familiar with the process of getting an application (and future updates) into the repositories, hence my questions in the first post.

  4. #4
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: Official repositories always secure?

    What is it you want to know that I did not answer ?

    There is no known malware of any kind in the repositories. In theory there could be, but the repos are maintained by Canonical or the MOTU (depends on the repo).
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  5. #5
    Join Date
    Jan 2008
    Location
    USA
    Beans
    971
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Official repositories always secure?

    Quote Originally Posted by wi0 View Post
    Correct me if I'm wrong, but the purpose of the official repos on the other hand is to be a safe source for software for any purpose. Having said that, I'm not sufficiently familiar with the process of getting an application (and future updates) into the repositories, hence my questions in the first post.
    To get an application in the official repos means you have to submit it to the Debian developers for review first. Then after a while, if you've done everything to their specs, they will add it. Since Ubuntu uses the Debian repos, this means it is also available to Ubuntu users. At least this is the way it worked when I last checked into it (because I had some code I wrote that I wanted to get into the repos). It's not as quick or easy as one would think.

    The repos themselves stay secure from tampering because all the packages are digitally signed with an unforgeable cryptographic signature. As long as the packagers protect their signing key, you can be assured the packages have not been tampered with by some hacker.
    Occam's Razor for computers: Viruses must never be postulated without necessity -- nevius

    My Blog

  6. #6
    Join Date
    Nov 2006
    Location
    Oregon
    Beans
    4,318
    Distro
    Ubuntu Development Release

    Re: Official repositories always secure?

    Quote Originally Posted by rookcifer View Post
    To get an application in the official repos means you have to submit it to the Debian developers for review first. Then after a while, if you've done everything to their specs, they will add it. Since Ubuntu uses the Debian repos, this means it is also available to Ubuntu users. At least this is the way it worked when I last checked into it (because I had some code I wrote that I wanted to get into the repos). It's not as quick or easy as one would think.

    The repos themselves stay secure from tampering because all the packages are digitally signed with an unforgeable cryptographic signature. As long as the packagers protect their signing key, you can be assured the packages have not been tampered with by some hacker.
    Actually you just need to

    A) Submit it to the REVU process
    B) Get it through the REVU process (fixing any packaging bugs you have)
    C) it is not in the universe repo
    *Don't PM me directly for support, open a new thread
    *Looking for a MythTV quick start guide?

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •