Just Remember: PPAs are not secure

Story: Debian Could Get PPA SupportTotal Replies: 8
Author Content
Jeff91

Mar 25, 2014
3:29 AM EDT
Just want to echo what I always do - using a PPA on your system is less secure than how you install software on Windows.

Not only are you getting something from a third party source - you are giving that source the ability to roll in new packages every time you run your system updates.
Bob_Robertson

Mar 25, 2014
8:45 AM EDT
Well said, Jeff.
CFWhitman

Mar 25, 2014
11:08 AM EDT
Well, technically a lot of programs in Windows include the ability to automatically install updates. Also, technically you can disable a PPA after the initial installation, and if you don't you also get the chance to hold back updates for individual packages when updating (not that doing so is generally convenient).

Generally, though, either with Windows software or Linux software you are trusting or not trusting the site or packager from where you're getting the packages / updates. At least with PPA's the packages are always signed by the PPA maintainer, so they are secure from being spoofed later on. Some windows installation packages are not signed. Of course, the equivalent of this in Linux is downloading individual packages. Individual packages can also install PPA's, but Windows programs can do the equivalent as well.

In the end, you have to be judicious and decide for yourself what sources you're going to trust. That's true not only of PPAs but also your distribution maintainer and/or Microsoft, Google, Adobe, Autodesk, etc., etc. Any newer source will not have the track record to be as certain about it one way or another, but size alone certainly doesn't inspire trust in me.

Do you not use the PPA for Piplelight, Jeff? I was pretty sure you were a Pipelight user.
Jeff91

Mar 25, 2014
12:18 PM EDT
Quoting:At least with PPA's the packages are always signed by the PPA maintainer


Why does this mean anything at all? In fact the only thing it means is that it is harder to get man in the middle attacked. You still have to trust the source you are getting packages from. Anyone could easily sign a package that puts malware on your system.

Yes, I use pipelight - but I don't use a PPA. I use Bodhi on all my systems and when software is missing from the repos, I review the source and then package it up and add it to our repos so it is secure for myself and the rest of our users to be using.

Beyond the security issues with PPAs, when you get multiple of them on a single system you can also easily run into package conflicts. Something most users aren't checking for when they are just googling for "How to install program XYZ on Ubuntu" and then they just blindly run commands from whatever site they find.

~Jeff
CFWhitman

Mar 25, 2014
12:58 PM EDT
Well, I believe I explained what it meant, and you proceeded to reiterate (at least part of) the explanation.

I hadn't realized you had Pipelight in the Bodhi repositories. I have the Pipelight PPA on my Bodhi system (HP Chromebook 14). Of course, the Pipelight PPA is run by the Pipelight developers, which means if you trust the software in the first place, the PPAs are not that much of an additional risk.

I don't think that anybody said that there were not issues with PPAs, and possible package conflicts are one of them, along with the security concerns that you mentioned to begin with. All I would say is that there are issues with just about every solution to the problem that PPAs are designed to solve (or just about every solution to every computer problem), and you should be aware of those issues whenever you decide on any particular solution in any particular situation.

I don't think you can use the blanket statement (however true) that, "PPAs are not secure," as a reason that no one should ever use any PPAs. Remember that to a third party some PPAs may be just as small a risk as, for example, the Bodhi repositories. I can make the statement, "No computer software is secure." That statement is also true, and while it is more extreme than, "PPAs are not secure," in the end you still have to use your own judgement.

I want to make it clear that I am not arguing the point. I am just suggesting taking the point with a grain of salt. Of course, that goes double for sources that just say, "Run 'sudo add-apt-repository...'"
BernardSwiss

Mar 25, 2014
8:03 PM EDT
Somewhat off topic, but: can I take it that Bodhi has gotten around to implementing a package signing policy for it's repository?

(I haven't been paying very close attention, of late, so I may well have missed it. But in a couple of months I will be looking for a "brain-dead easy" netbook-friendly distro for a relative).
flufferbeer

Mar 26, 2014
12:09 AM EDT
> All I would say is that there are issues with just about every solution to the problem that PPAs are designed to solve (or just about every solution to every computer problem), and you should be aware of those issues whenever you decide on any particular solution in any particular situation.

A catch-all suggestion that deflects any specific criticism of boobunt2's PPAs. Deflection some sorta delayed revenge for debian adopting systemd and boobunt2 following suit, 'cause the CanUBcomical mucky-muck$ couldn't twist debian enough to get their OWN darned Upstart accepted?? Could be, could be...

2c
CFWhitman

Mar 26, 2014
4:55 PM EDT
@flufferbeer

I'm not really sure what you're getting at. That part of my post was meant to be general advice. I certainly am no great fan of Canonical. I've never used plain Ubuntu, though I've used several variations that use the Ubuntu repositories.

The point I was making, in a nutshell, is that PPAs are just repositories. They are essentially the same as any other repositories, which inherently means that they are only as trustworthy as the repository maintainer. The only difference is that PPAs make it easy to add any old repository, no matter how tiny and/or obscure, to your regular Ubuntu system (note that I didn't say possible, because it was always possible by adding a repository to your sources.list file; and that's true in Debian as well). There are some repositories that I consider a small risk (as far as security goes, that is), like the Wine repository, the Pipelight repository, and the Google Chrome repository (though I sometimes wonder just how much of your online activity Google tracks).

I think that Jeff's point is basically that you shouldn't just add repositories willy-nilly to your installation without any consideration of the source because repositories inherently receive even more trust than most individual programs, and that is true.
Jeff91

Mar 27, 2014
8:17 AM EDT
Quoting:can I take it that Bodhi has gotten around to implementing a package signing policy for it's repository?


Nope. Our repo is 100% unsigned just like many other Linux distributions (Arch to name a large one). We have a small team and would rather devote efforts to improving the user experience we offer rather than wasting time on minor technicalities that aren't actually going to improve anything end users see.

~Jeff

Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]

Becoming a member of LXer is easy and free. Join Us!