bobjunga2
June 12th, 2020, 08:35 PM
I am a long time server admin and do not understand how we are supposed to get to a level of trust of a 3rd party PPA. I understand that if a PPA is owned by the upstream project then you can trust it as much as you have already decided to trust that project. Also, sometimes in a community there is a lot of discussion about a particular PPA which has gained the trust of that community over time and it becomes well known it how to guides which is a form of reputation endorsment. I have choosen many PPA this way.
However, in general, I am surprised at the lack of help that launchpad gives us. Github and other platforms have reputation based systems that let you know if the project that you are considering is well regarded, poorly regarded, or not used enough to have a reputation. I just looked for nginx PPAs, looking for ones that include the modules I want. I get 735 matches with no context about the maturity or popularity of each result. I can not filter on significant attributes. If I click on one I can see when the last update was which seems to eliminate many unmaintained ones but that is like looking for a few needles in a haystack. Filtering or sorting by last update would be a big help.
The Launchpad PPAs system has been around forever. How has it not gotten any of these features by now. Could it be that it has some and I just can not find them?
I suspect that most people do not give it a second thought. They take a PPA's presence on launchpad as endorsement that it is not malicious (which it is not). I think as a community, we get away with being lax on this point just because it is not common to have malware targeting linux machines for some reason.
So how do you decide whether or not you should trust a PPA? Do you stick you head in the sand and hope for the best, or do you have a good system that I might be able to learn from?
--BobG
However, in general, I am surprised at the lack of help that launchpad gives us. Github and other platforms have reputation based systems that let you know if the project that you are considering is well regarded, poorly regarded, or not used enough to have a reputation. I just looked for nginx PPAs, looking for ones that include the modules I want. I get 735 matches with no context about the maturity or popularity of each result. I can not filter on significant attributes. If I click on one I can see when the last update was which seems to eliminate many unmaintained ones but that is like looking for a few needles in a haystack. Filtering or sorting by last update would be a big help.
The Launchpad PPAs system has been around forever. How has it not gotten any of these features by now. Could it be that it has some and I just can not find them?
I suspect that most people do not give it a second thought. They take a PPA's presence on launchpad as endorsement that it is not malicious (which it is not). I think as a community, we get away with being lax on this point just because it is not common to have malware targeting linux machines for some reason.
So how do you decide whether or not you should trust a PPA? Do you stick you head in the sand and hope for the best, or do you have a good system that I might be able to learn from?
--BobG