PPAs, can you trust them?

TechnoJunky

Well-Known Member
Joined
Dec 3, 2018
Messages
493
Reaction score
390
Credits
314
Spinning off a new topic from Wiz's post https://www.linux.org/threads/snapcraft.23054/#post-68368.
So Wiz, there have been some PPA's I've trusted because the site I found them on was a reputable site. But overall, how does one determine that a PPA can be trusted? If you go to https://launchpad.net/~libreoffice/+archive/ubuntu/ppa, around 3/4 of the way down it has a paragraph subject "Adding this PPA to your system". The first sentence says "from this untrusted PPA". If they say it's untrusted, how can I trust it? What about any other PPA from someone lesser known than LibreOffice? Can you trust just any PPA?
 


D

Deleted member 58530

Guest
https://askubuntu.com/questions/356...-and-what-are-some-red-flags-to-watch-out-for


The concerns are minimal imo.

How current and trustworthy is the PPA.
Is the PPA secure or are the packages corrupt.

If you are not an adventurer than stay away from PPAs.

I'm not a big user of PPAs although haven't had any issues with any I've used.

Backup your Distro as the worst that can happen is you break your Linux Distro and have to reinstall it, tuition for the price of an education imo.

I'm not afraid to break my Linux as I have done that many times which is how I learn.

Only my opinion.

Learn By Experience Because Practice Makes The Master. ;)
 
OP
TechnoJunky

TechnoJunky

Well-Known Member
Joined
Dec 3, 2018
Messages
493
Reaction score
390
Credits
314
I'm not worried about breaking my OS. I'm more concerned with malware. Since adding a PPA and installing anything from it requires you to authenticate against your SUDO powers, it seems quite risky to me.
I got over worrying about breaking my Linux install over 10 years ago. I can't tell you how many times I've installed/reinstalled Linux over the years.
 
OP
TechnoJunky

TechnoJunky

Well-Known Member
Joined
Dec 3, 2018
Messages
493
Reaction score
390
Credits
314
Your posted links seem to be backing up what I was saying.
 
D

Deleted member 58530

Guest
As I said earlier I've never had a problem with PPAs nor have I ever had a virus or any malware infections using Linux or Windows.

Some of the proprietary graphics card drivers are PPAs and are reliable and maintained.

There are a lot of good PPAs available for download.

Users need to research the PPAs of interest to be certain of its integrity.


Software downloaded and installed haphazardly can lead to infections from viruses and malware etc.

Question the PPAs integrity than don't download and install it.
 
D

Deleted member 58530

Guest
TechnoJunky What Linux Distro do you use.

If you are using Linux Mint check via Synaptic Package Manager and see if mono or mono-runtime-common is installed.

I'm curious.
 
OP
TechnoJunky

TechnoJunky

Well-Known Member
Joined
Dec 3, 2018
Messages
493
Reaction score
390
Credits
314
I run Neon. No, I don't have mono installed. What is it?
 

wizardfromoz

Administrator
Staff member
Gold Supporter
Joined
Apr 30, 2017
Messages
7,511
Reaction score
6,354
Credits
26,568
This is a good Thread, TJ (you should have guessed I would shorten that :)) and I am thinking it might be better moved, to eg Linux Security if you are OK with that. Might even become a sticky.

Good find, too, Tom on both counts of those links you referred, I have bookmarked them :D. Thanks for sharing.

Adding this PPA to your system
You can update your system with unsupported packages from this untrusted PPA by adding ppa:gezakovacs/ppa to your system's Software Sources. (Read about installing)

sudo add-apt-repository ppa:gezakovacs/ppa
sudo apt-get update

Now this harks back to what I was saying earlier. Unetbootin has been available from Ubuntu's and Linux Mint's Repositories for as long as I have been using them (6 - 7 years). Ubuntu should further define "untrusted".

I have some more input with this, but I have to change to another Distro to be sure of my facts.

Later

Wiz
 
D

Deleted member 58530

Guest
https://en.wikipedia.org/wiki/Mono_(software)
-------------------------------------------------------------------
Mono also makes your system partially vulnerable to malware that targets Windows, because it's cross-platform (like Java).

The above is a quote from here.
https://easylinuxtipsproject.blogspot.com/p/security.html

It can be found in the documentation in the above link.

"Don't install Wine or Mono in your Linux"

-----------------------------------------------------------

I found this interesting.

https://www.itwire.com/security/867...no-to-run-windows-malware-on-macos-claim.html


---------------------------------------------------------------------

@ Wizard
It is a good thread.

 
Last edited by a moderator:
D

Deleted member 58530

Guest
Run this command inxi -r to see what repos are installed by default.

Linux Peppermint 9
has PPA repos installed by default.
[email protected] ~ $ inxi -r
Repos: Active apt sources in file: /etc/apt/sources.list
deb http://us.archive.ubuntu.com/ubuntu/ bionic main restricted
deb http://us.archive.ubuntu.com/ubuntu/ bionic-updates main restricted
deb http://us.archive.ubuntu.com/ubuntu/ bionic universe
deb http://us.archive.ubuntu.com/ubuntu/ bionic-updates universe
deb http://us.archive.ubuntu.com/ubuntu/ bionic multiverse
deb http://us.archive.ubuntu.com/ubuntu/ bionic-updates multiverse
deb http://us.archive.ubuntu.com/ubuntu/ bionic-backports main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu bionic-security main restricted
deb http://security.ubuntu.com/ubuntu bionic-security universe
deb http://security.ubuntu.com/ubuntu bionic-security multiverse
Active apt sources in file: /etc/apt/sources.list.d/peppermint.list
deb http://ppa.launchpad.net/peppermintos/p9-release/ubuntu bionic main
deb http://ppa.launchpad.net/peppermintos/p9-respin/ubuntu bionic main
[email protected] ~ $
 

wizardfromoz

Administrator
Staff member
Gold Supporter
Joined
Apr 30, 2017
Messages
7,511
Reaction score
6,354
Credits
26,568
Quite so, as do a number of my other Debian-based Distros, but it would take some searching to pin those down.

To qualify my comments at #9 above, where I said

Unetbootin has been available from Ubuntu's and Linux Mint's Repositories for as long as I have been using them (6 - 7 years).

... I have egg on my face (Wizard was wr... wr... wrong :)).

I have checked my Linux stable, and somewhere in between Ubuntu 16.04 and 18.04 (& thus Linux Mint 18 series and 19 series), Ubuntu stopped including Unetbootin in their Repositories. Unsure why.

No matter to me, I still trust the product.

If you go to

https://github.com/unetbootin/unetbootin/releases

... and wade through three (3) pages, you see how long Unetbootin's PPA has been around, and it is updated regularly, these meet the criteria specified in Tom's "Red Flags" link. Likewise Tony George's with Timeshift, Aptik, Conky Manager, Ukuu, &c.

Wiz
 
D

Deleted member 58530

Guest
To qualify my comments at #9 above, where I said



... I have egg on my face (Wizard was wr... wr... wrong :)).

I have checked my Linux stable, and somewhere in between Ubuntu 16.04 and 18.04 (& thus Linux Mint 18 series and 19 series), Ubuntu stopped including Unetbootin in their Repositories. Unsure why.

No matter to me, I still trust the product.

If you go to

https://github.com/unetbootin/unetbootin/releases

... and wade through three (3) pages, you see how long Unetbootin's PPA has been around, and it is updated regularly, these meet the criteria specified in Tom's "Red Flags" link. Likewise Tony George's with Timeshift, Aptik, Conky Manager, Ukuu, &c.

Wiz
This was all I could find as to the removal of Unetbootin from Debian Repos.

https://tracker.debian.org/pkg/unetbootin

---------------------------------------------------------

It seems that Ubuntu 14.04 LTS Trusty Tahr was the last good Linux to offer cool software.

With the release of Ubuntu 16.04 LTS Xenial Xerus and the introduction of Snap Packages a lot of software disappeared from the repositories or disappeared because it was no longer being maintained.
 
Last edited by a moderator:

rado84

Well-Known Member
Joined
Feb 25, 2019
Messages
603
Reaction score
483
Credits
3,137
break my Linux as I have done that many times which is how I learn.
Me too. IMO the best way to learn something is to break it a few times. I learned a lot of things about Linux by self-teaching (and breaking it, ofc :) ).
 

Vrai

Well-Known Member
Joined
Mar 16, 2019
Messages
1,059
Reaction score
996
Credits
4,055
Spinning off a new topic from Wiz's post https://www.linux.org/threads/snapcraft.23054/#post-68368.
So Wiz, there have been some PPA's I've trusted because the site I found them on was a reputable site. But overall, how does one determine that a PPA can be trusted? If you go to https://launchpad.net/~libreoffice/+archive/ubuntu/ppa, around 3/4 of the way down it has a paragraph subject "Adding this PPA to your system". The first sentence says "from this untrusted PPA". If they say it's untrusted, how can I trust it? What about any other PPA from someone lesser known than LibreOffice? Can you trust just any PPA?

I asked this very question some years ago when PPA's first started to become popular.

As of this date the only method I have been able to determine as to the trustworthiness of a particular PPA is "Reputation".
Not a particularly reliable or comforting method. Just because a PPA has been safe and reliable in the past does not mean it will continue to be now or in the future. Package signing with PGP keys will help but then we are back to 'trusting' an unknown quantity.

I have used PPA's very selectively when it appears to be provided and hosted by an organization I deem as 'trustworthy'. The Brave browser is an example.
A commercial organization stands to suffer a loss if their PPA is compromised. It can happen - similar to what happened to Linux Mint a few years ago.
And there have reportedly been a few malicious 'Snap' packages sneak their way into the Snap Store.

There are surely many PPA's which are reputable and provide quality software. Unfortunately there is no 'central clearinghouse', 'watchdog', or 'curator' one can turn to to verify the trustworthiness. Nevertheless we all place a great deal of trust with the many, many developers of the operating system software we all use and trust. The whole system is based on 'trust'. "Trust but verify" :confused:

And no, it is not practical, feasible, or even possible to 'read the code' as many FLOSS advocates like to claim. Even Linus Torvalds could not possibly read and understand all the lines of code in just the Linux kernel. A quote from Phoronix in 2015; https://www.phoronix.com/scan.php?page=news_item&px=Linux-19.5M-Stats
GitStats showed 19,509,218 lines of code across 520,260 commits from 13,708 authors. There's 49,457 files currently part of the kernel source tree.

So it all boils down to trust. Can you trust a PPA? - probably. But I 'trust' the official repos more.
 
$100 Digital Ocean Credit
Get a free VM to test out Linux!

Linux.org Hosting Donations
Consider making a donation

Staff online

Members online


Top