Hi,

Do you use unofficial PPAs ? Please mention them.

How do you determine an unofficial PPA's credibility ?

I am presently using only one ppa, that's the wine official PPA.

Please vote & share your experience / views.

I should have provided another choice "Yes, anything to get the application installed" .... Please choose yes then mention if that's your story.

TIA

Really depends on the PPA. Some are just from some random person, which could be dodgy as hell. But the official PPA for a project should be just as trustworthy as installing the same package from the official repos.

Really depends on the PPA. Some are just from some random person, which could be dodgy as hell. But the official PPA for a project should be just as trustworthy as installing the same package from the official repos.

This.


Though every PPA is another repository that could get hacked and install malicious software onto your computer. I don't think that's happened yet, but it's possible.

Playing it safe is kind of boring.but no ppa's are not always safe but sometimes they are so i vote.:D your taking a chance, yeah there safe. till someone complains:D

lol I don't really care about security. I would root my install if I was motivated enough.

This.


Though every PPA is another repository that could get hacked and install malicious software onto your computer. I don't think that's happened yet, but it's possible.

What if someone creates a PPA with spyware & stuff like that to steal your sensitive data ? or just mess up your system, I mean why do people make viruses ? Coz they are sick.

That's what I am concerned about.

Thanks for your replies.

Define safe...?

My poll answer is just a simple "yes;" I'm not hardcore about bleeding-edge, but all programs have some bugs and if I can get them fixed now that's better than later.

Define safe...?

Devoid of any malicious stuff like virus, spyware & likewise.

Coz the user is deliberately opening the door. Therefore security is of critical importance here.

Depends on the PPA. I usually only add PPAs for well known software and I havent hit any issues yet.

What if someone creates a PPA with spyware & stuff like that to steal your sensitive data ? or just mess up your system, I mean why do people make viruses ? Coz they are sick.

That's what I am concerned about.

Thanks for your replies.

That is always possible with software from an untrusted source (even a very little chance of such applications ending up in the official repos but they wouldn't live very long there I guess). I think when the PPA is managed by for example Mozilla and widely used you can quite safely assume it contains no malware/spyware.

With most PPAs I wouldn't be concerned about security in the terms of malware but more worried about system stability (conflicting packages, mulitple version of the same program installed etc.)

I think when the PPA is managed by for example Mozilla and widely used you can quite safely assume it contains no malware/spyware.


If the PPA is maintained by mozilla then its a official PPA. I personally trust official PPAs. Using the wine PPA with Natty.




With most PPAs I wouldn't be concerned about security in the terms of malware

How come ? :arrow:


That is always possible with software from an untrusted source

I usually only add PPAs for well known software and I havent hit any issues yet.

If you don't mind, which PPAs have used or using ATM ?

Have you ever used the GetDeb PPA ?

If the PPA is maintained by mozilla then its a official PPA. I personally trust official PPAs. Using the wine PPA with Natty.




How come ? :arrow:

Nothing is 100% secure that is what I mean with the first statement. But in reality I don't think much PPAs are infested with malware. So you won't run a great risk installing PPAs just in terms of malware it can have other negative side effects.

If you wouldn't blindly download a script from the site/group/chap and run it, then you probably wouldn't want to use their PPA.

While I usually only use "tried and true" PPAs like WINE, I do have one that I was a little skeptical about. That one was for the Twitter plugin on Pidgin, microblog-purple. I did a little looking around and didn't find any major issues and so I went through with installing it. Insofar, I've not had any real issues with it.

I use mozilla-daily, banshee-daily, webupd8, clamav and opera ppas and I'm fine.

I feel a lot better if I install the ppa on instructions from the software site and not some random blog, however popular it might be. Like vlc and deluge.

This ppa issue should be straightened out I think. But I guess it's up to the software developers.

As such, I only add official ppas and ppas recommended by webupd8.org. In the latter case, if something goes wrong later on, he lets us know about it, and sometimes gives alternates.

lol I don't really care about security. I would root my install if I was motivated enough.
Root your install? This isn't android, buddy, you have root access from the start. ;)
Anyway, I don't always use ubuntu, but when I do, I use PPAs.

Yeah, I only use PPAs from entities I trust, "official" or otherwise, but there are rather a lot of them, most of them directly from the developers on Launchpad and a couple from WebUpD8. It's just a matter of poking around to get a sense of whether or not this particular piece of software is reasonably well known.

I install most of my end user programs with PPAs. Many from the developers themselves and others are those "well known" ones on lauchpad, pretty much tried and true. Haven't had any problem.

When you upgrade with a PPA with synaptic always read what is being removed, if anything. Install ppa-purge if something goes wrong,--it rarely happens but if it does it is mostly for things like conflicting dependencies rather than anything malicious.

I say they are no safer, if anything actually about the same as downloading the package elsewhere.

You're probably thinking I'm off my rocker right now I'm sure. However, consider this,what if an attacker could emulate a trusted repo? Then what if they further modified packages within the repo? Now you're thinking, well they would still have to get me to download them, of course they would , which is actually the easiest part of the whole process, you could easily download them on your next update if your machine was made to believe that the offending repo was the real one. This would be very complicated, but also very possible. It would also likely be able to bypass the common sense test of "do I trust the source".

Note -- this is very theoretical and depends on the ability of the attacker to forge crypto keys in several files. Which for the sake of moderator sanity will be left nameless. As well as the ability to pull off a sucessful MITM attack.

The same would apply to distributor repos and "official" PPAs.

The same would apply to distributor repos and "official" PPAs.

Agreed, which is why I say it's pretty much the same either way. IMO they are more of a convenience thing then a security thing.

I don't generally add them, but if I do I make sure that I get them from a reputable source like OMG! Ubuntu!

I think the possibility of something disastrous in the PPA system must make Canonical think about a rolling repository like Tumbleweed on OpenSUSE, or even a system like the Testing/Unstable repositories like Debian.

I don't generally add them, but if I do I make sure that I get them from a reputable source like OMG! Ubuntu!

I think the possibility of something disastrous in the PPA system must make Canonical think about a rolling repository like Tumbleweed on OpenSUSE, or even a system like the Testing/Unstable repositories like Debian.

OMG ubuntu is just a blog and they recently had a big discussion in their comments about pps's, and how the safety of the ppa's can not be maintained by a blog or any internet publication.

You trust the better people for the right reasons, but that is not enough.

I use mozilla-daily, banshee-daily, webupd8, clamav and opera ppas and I'm fine.

I am trying to add the clamav PPA https://launchpad.net/~ubuntu-clamav/+archive/ppa (https://launchpad.net/%7Eubuntu-clamav/+archive/ppa)

How do I add their key ?

Seems like my PPA phobia is getting under control listening to you guys. :D

I am trying to add the clamav PPA https://launchpad.net/~ubuntu-clamav/+archive/ppa (https://launchpad.net/%7Eubuntu-clamav/+archive/ppa)

How do I add their key ?

Seems like my PPA phobia is getting under control listening to you guys. :D

If you do sudo apt-add-repository ppa:ubuntu-clamav/ppa

it downloads and installs the key as part of the process.

Or you just manually copy and paste the key into a text file and save it. You can then import the file with the key from synaptic.

If you do sudo apt-add-repository ppa:ubuntu-clamav/ppa

it downloads and installs the key as part of the process.

Or you just manually copy and paste the key into a text file and save it. You can then import the file with the key from synaptic.

Done :)

I am trying to add the clamav PPA https://launchpad.net/~ubuntu-clamav/+archive/ppa (https://launchpad.net/%7Eubuntu-clamav/+archive/ppa)

How do I add their key ?

Seems like my PPA phobia is getting under control listening to you guys. :D

The question is why do you want clamav in the first place? :) There is no need to run AV in Linux but if you must use a real one like bitdefender. Clamav is crap and clunky (it detects itself as a virus according to a thread I read sometimes ago. :))

@jerenept (http://ubuntuforums.org/member.php?u=772467)

If I use the mozilla daily PPA will my existing addons work ?

@jerenept (http://ubuntuforums.org/member.php?u=772467)

If I use the mozilla daily PPA will my existing addons work ?

Opps I misread.

The daily ppa is beta so some may not work. Better use the stable ppa (also I think that would install a developmental version of FF alongside the stable one so yiu have 2 FF instead of one)

The question is why do you want clamav in the first place? :) There is no need to run AV in Linux but if you must use a real one like bitdefender. Clamav is crap and clunky (it detects itself as a virus according to a thread I read sometimes ago. :))

I often install Windows games using wine. While the games are all virus free, applying No CD?DVD patch becomes a necessity most of the times. I scan those No CD/DVD patches with clamav.

I often install Windows games using wine. While the games are all virus free, applying No CD?DVD patch becomes a necessity most of the times. I scan those No CD/DVD patches with clamav.

Well Clamav is pretty crappy so you may as well get something like bitdefender for Linux (I think you have to google something like bitdefender for Unice)

Opps I misread.

The daily ppa is beta so some may not work. Better use the stable ppa (also I think that would install a developmental version of FF alongside the stable one so yiu have 2 FF instead of one)

Mozilla stable PPA vs Ubuntu repos ........ Which one holds the latest version ?

Mozilla stable PPA vs Ubuntu repos ........ Which one holds the latest version ?

Mozilla stable. If you are on Ubuntu 10.04 or 10.10 the Ububtu repo still has FF3.6.X, it will not update to FF4 until Mozilla has stopped supporting 3.6.X (recently?) whereas the mozilla stable has FF5. In Natty though the Natty Proposed repository offers FF5 even when it was beta (it is not activated by default, but you can add it by going to Synaptic > Settings > Repositories > updates and check the box)

I scan those No CD/DVD patches with clamav.

ClamAV isn't very effective, you might want to consider a different one such as AVG or Avast.