PPAs, can you trust them?

TechnoJunky

Well-Known Member
Joined
Dec 3, 2018
Messages
501
Reaction score
400
Credits
398
Spinning off a new topic from Wiz's post https://www.linux.org/threads/snapcraft.23054/#post-68368.
So Wiz, there have been some PPA's I've trusted because the site I found them on was a reputable site. But overall, how does one determine that a PPA can be trusted? If you go to https://launchpad.net/~libreoffice/+archive/ubuntu/ppa, around 3/4 of the way down it has a paragraph subject "Adding this PPA to your system". The first sentence says "from this untrusted PPA". If they say it's untrusted, how can I trust it? What about any other PPA from someone lesser known than LibreOffice? Can you trust just any PPA?
 


https://askubuntu.com/questions/356...-and-what-are-some-red-flags-to-watch-out-for


The concerns are minimal imo.

How current and trustworthy is the PPA.
Is the PPA secure or are the packages corrupt.

If you are not an adventurer than stay away from PPAs.

I'm not a big user of PPAs although haven't had any issues with any I've used.

Backup your Distro as the worst that can happen is you break your Linux Distro and have to reinstall it, tuition for the price of an education imo.

I'm not afraid to break my Linux as I have done that many times which is how I learn.

Only my opinion.

Learn By Experience Because Practice Makes The Master. ;)
 
I'm not worried about breaking my OS. I'm more concerned with malware. Since adding a PPA and installing anything from it requires you to authenticate against your SUDO powers, it seems quite risky to me.
I got over worrying about breaking my Linux install over 10 years ago. I can't tell you how many times I've installed/reinstalled Linux over the years.
 
Your posted links seem to be backing up what I was saying.
 
As I said earlier I've never had a problem with PPAs nor have I ever had a virus or any malware infections using Linux or Windows.

Some of the proprietary graphics card drivers are PPAs and are reliable and maintained.

There are a lot of good PPAs available for download.

Users need to research the PPAs of interest to be certain of its integrity.


Software downloaded and installed haphazardly can lead to infections from viruses and malware etc.

Question the PPAs integrity than don't download and install it.
 
TechnoJunky What Linux Distro do you use.

If you are using Linux Mint check via Synaptic Package Manager and see if mono or mono-runtime-common is installed.

I'm curious.
 
I run Neon. No, I don't have mono installed. What is it?
 
This is a good Thread, TJ (you should have guessed I would shorten that :)) and I am thinking it might be better moved, to eg Linux Security if you are OK with that. Might even become a sticky.

Good find, too, Tom on both counts of those links you referred, I have bookmarked them :D. Thanks for sharing.

Adding this PPA to your system
You can update your system with unsupported packages from this untrusted PPA by adding ppa:gezakovacs/ppa to your system's Software Sources. (Read about installing)

sudo add-apt-repository ppa:gezakovacs/ppa
sudo apt-get update

Now this harks back to what I was saying earlier. Unetbootin has been available from Ubuntu's and Linux Mint's Repositories for as long as I have been using them (6 - 7 years). Ubuntu should further define "untrusted".

I have some more input with this, but I have to change to another Distro to be sure of my facts.

Later

Wiz
 
https://en.wikipedia.org/wiki/Mono_(software)
-------------------------------------------------------------------
Mono also makes your system partially vulnerable to malware that targets Windows, because it's cross-platform (like Java).

The above is a quote from here.
https://easylinuxtipsproject.blogspot.com/p/security.html

It can be found in the documentation in the above link.

"Don't install Wine or Mono in your Linux"

-----------------------------------------------------------

I found this interesting.

https://www.itwire.com/security/867...no-to-run-windows-malware-on-macos-claim.html


---------------------------------------------------------------------

@ Wizard
It is a good thread.

 
Last edited by a moderator:
Run this command inxi -r to see what repos are installed by default.

Linux Peppermint 9
has PPA repos installed by default.
thomas@Dell-OptiPlex-360 ~ $ inxi -r
Repos: Active apt sources in file: /etc/apt/sources.list
deb http://us.archive.ubuntu.com/ubuntu/ bionic main restricted
deb http://us.archive.ubuntu.com/ubuntu/ bionic-updates main restricted
deb http://us.archive.ubuntu.com/ubuntu/ bionic universe
deb http://us.archive.ubuntu.com/ubuntu/ bionic-updates universe
deb http://us.archive.ubuntu.com/ubuntu/ bionic multiverse
deb http://us.archive.ubuntu.com/ubuntu/ bionic-updates multiverse
deb http://us.archive.ubuntu.com/ubuntu/ bionic-backports main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu bionic-security main restricted
deb http://security.ubuntu.com/ubuntu bionic-security universe
deb http://security.ubuntu.com/ubuntu bionic-security multiverse
Active apt sources in file: /etc/apt/sources.list.d/peppermint.list
deb http://ppa.launchpad.net/peppermintos/p9-release/ubuntu bionic main
deb http://ppa.launchpad.net/peppermintos/p9-respin/ubuntu bionic main
thomas@Dell-OptiPlex-360 ~ $
 
Quite so, as do a number of my other Debian-based Distros, but it would take some searching to pin those down.

To qualify my comments at #9 above, where I said

Unetbootin has been available from Ubuntu's and Linux Mint's Repositories for as long as I have been using them (6 - 7 years).

... I have egg on my face (Wizard was wr... wr... wrong :)).

I have checked my Linux stable, and somewhere in between Ubuntu 16.04 and 18.04 (& thus Linux Mint 18 series and 19 series), Ubuntu stopped including Unetbootin in their Repositories. Unsure why.

No matter to me, I still trust the product.

If you go to

https://github.com/unetbootin/unetbootin/releases

... and wade through three (3) pages, you see how long Unetbootin's PPA has been around, and it is updated regularly, these meet the criteria specified in Tom's "Red Flags" link. Likewise Tony George's with Timeshift, Aptik, Conky Manager, Ukuu, &c.

Wiz
 
To qualify my comments at #9 above, where I said



... I have egg on my face (Wizard was wr... wr... wrong :)).

I have checked my Linux stable, and somewhere in between Ubuntu 16.04 and 18.04 (& thus Linux Mint 18 series and 19 series), Ubuntu stopped including Unetbootin in their Repositories. Unsure why.

No matter to me, I still trust the product.

If you go to

https://github.com/unetbootin/unetbootin/releases

... and wade through three (3) pages, you see how long Unetbootin's PPA has been around, and it is updated regularly, these meet the criteria specified in Tom's "Red Flags" link. Likewise Tony George's with Timeshift, Aptik, Conky Manager, Ukuu, &c.

Wiz
This was all I could find as to the removal of Unetbootin from Debian Repos.

https://tracker.debian.org/pkg/unetbootin

---------------------------------------------------------

It seems that Ubuntu 14.04 LTS Trusty Tahr was the last good Linux to offer cool software.

With the release of Ubuntu 16.04 LTS Xenial Xerus and the introduction of Snap Packages a lot of software disappeared from the repositories or disappeared because it was no longer being maintained.
 
Last edited by a moderator:
break my Linux as I have done that many times which is how I learn.
Me too. IMO the best way to learn something is to break it a few times. I learned a lot of things about Linux by self-teaching (and breaking it, ofc :) ).
 
Spinning off a new topic from Wiz's post https://www.linux.org/threads/snapcraft.23054/#post-68368.
So Wiz, there have been some PPA's I've trusted because the site I found them on was a reputable site. But overall, how does one determine that a PPA can be trusted? If you go to https://launchpad.net/~libreoffice/+archive/ubuntu/ppa, around 3/4 of the way down it has a paragraph subject "Adding this PPA to your system". The first sentence says "from this untrusted PPA". If they say it's untrusted, how can I trust it? What about any other PPA from someone lesser known than LibreOffice? Can you trust just any PPA?

I asked this very question some years ago when PPA's first started to become popular.

As of this date the only method I have been able to determine as to the trustworthiness of a particular PPA is "Reputation".
Not a particularly reliable or comforting method. Just because a PPA has been safe and reliable in the past does not mean it will continue to be now or in the future. Package signing with PGP keys will help but then we are back to 'trusting' an unknown quantity.

I have used PPA's very selectively when it appears to be provided and hosted by an organization I deem as 'trustworthy'. The Brave browser is an example.
A commercial organization stands to suffer a loss if their PPA is compromised. It can happen - similar to what happened to Linux Mint a few years ago.
And there have reportedly been a few malicious 'Snap' packages sneak their way into the Snap Store.

There are surely many PPA's which are reputable and provide quality software. Unfortunately there is no 'central clearinghouse', 'watchdog', or 'curator' one can turn to to verify the trustworthiness. Nevertheless we all place a great deal of trust with the many, many developers of the operating system software we all use and trust. The whole system is based on 'trust'. "Trust but verify" :confused:

And no, it is not practical, feasible, or even possible to 'read the code' as many FLOSS advocates like to claim. Even Linus Torvalds could not possibly read and understand all the lines of code in just the Linux kernel. A quote from Phoronix in 2015; https://www.phoronix.com/scan.php?page=news_item&px=Linux-19.5M-Stats
GitStats showed 19,509,218 lines of code across 520,260 commits from 13,708 authors. There's 49,457 files currently part of the kernel source tree.

So it all boils down to trust. Can you trust a PPA? - probably. But I 'trust' the official repos more.
 

Staff online

Members online


Top