Page 2 of 2 FirstFirst 12
Results 11 to 12 of 12

Thread: Security issues with personal repositories

  1. #11
    Join Date
    Apr 2006
    Kubuntu Development Release

    Re: Security issues with personal repositories

    Quote Originally Posted by tgm4883 View Post
    Nope, I was actually agreeing with you for the most part. The official repositories are much safer/trustyworthy than PPA's. The issue I have is I see a lot of people say that because it's in the official repositories that it is 100% safe, which isn't entirely the case. However remote that it may be, it wouldn't be extremely difficult to get malware into the official repositories.
    Thank you for clarifying that. For some reason I was not understanding what you were saying, but with this additional information your post is more clear.

    I agree, your points regarding the official Ubuntu repositories are right on target.
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  2. #12
    Join Date
    Sep 2009
    Bangkok, Thailand
    Ubuntu 12.04 Precise Pangolin

    Re: Security issues with personal repositories

    Quote Originally Posted by rookcifer View Post
    I agree that just because it's in the official repos does not necessarily mean it is malware free. But there's also no guarantee that Linus Torvalds isn't secretly working for the KGB and has compromised the Linux kernel to spy on everyone. There's no guarantee that AMD and Intel have not put firmware backdoors in their CPU's. There's no guarantee a meteor wont hit my house and kill me tonight. Just like everything else in life, it's about risk assessment, and I think it is more risky to blindly trust an unknown PPA than the official repos. Either could be trojaned, but I would lay odds that a PPA is more likely to be malicious.
    That's a good take on security. It's all about trust and probability. And I won't be meteor-proofing my house this afternoon.

    Quote Originally Posted by brian_p View Post
    Thanks, that helped clear things up.

    Quote Originally Posted by bodhi.zazen View Post
    Anyone can create a ppa, but adding a package to the ubuntu repos is not as easy. You would need to either be a Canonical developer or a MOTU (or go the dark path - crack the Ubuntu servers).

    There is an obvious difference between a main line ppa:

    Which is referenced by a well respected project:

    And a ppa run by an individual:

    With the former ( I know paultag personally, have known him for several years, and he is a developer for the Fluxbox project.

    With the latter (chosen at random mind you) - I am unfamiliar with the cairo-compmgr project and I have no idea who the maintainer of that ppa is.

    So, I personally would add the icecat and fluxbox ppa without reservations. The third I would not, I would personally either download the .deb directly from the ccm project ( ) or build from source.

    So, as you can see, not all ppa were created equally and you are sure you will get different opinions on the trust worthiness of the various repos depending on paranoia levels, familiarity with various projects, and who you ask.

    You can also see why google can not (directly) answer the question either (nor can the mint forums), it is not a yes or no" question, it is a matter of who do you trust, how much you know about compiling for yourself, your paranoia level, and probably other factors as well =)
    Thanks for giving some specific ideas in which ppas are more trustworthy than others.

    I consider this question well and truly answered; thanks so much to everyone.

Page 2 of 2 FirstFirst 12

Tags for this Thread


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts