seeking clarity on ppa,s

Questions about the project and the distribution - obviously no support questions here please
Madmogone
Level 2
Level 2
Posts: 59
Joined: Sat Jun 14, 2014 7:28 am

seeking clarity on ppa,s

Postby Madmogone » Sat Aug 26, 2017 7:43 am

Hi all, just wanting some clarity on using ppa,s.Some folk say to never use ppa,s as they may contain malware ,bugs etc, but some people appear to use them quite often with no harm done. Is there a site that contains info on these sites?, to check on them before using them ?.I am asking this question as I wish to download Veracrypt and there are several ways of doing this such as command line terminal for the ppa ( linuxbabe.com) or downloading a tar file from the official site , unpacking it and then installing using the terminal.Installing the ppa in the terminal is easier and quicker than the other way , but is it as safe?. I would appreciate some clarity.

Hoser Rob
Level 9
Level 9
Posts: 2893
Joined: Sat Dec 15, 2012 8:57 am

Re: seeking clarity on ppa,s

Postby Hoser Rob » Sat Aug 26, 2017 8:23 am

It's not just malware or bugs. There's little backwards (or forwards) compatibility in Linux, unlike WIndows. You can't expect to install a program that isn't for your point release and expect it to work.

Not only that, you can end up with a system with conflicting libraries, whcih will break other programs. Newbies have a bad habit of just clicking OK without reading what the installer says.

I do have some things installed from ppas and .deb files (you can't installl Chrome for linux without the .deb), but it's always for something I actually need and can't get otherwise. Just ppas for SMplayer and VLC for HEVC playback and a streaming downloader.

If you do use a ppa, do NOT get it from most Linux blogs. There are some good ones (pjotr's is good e.g.) but most are rubbish and I don't trust them. I always get them from their source page, eg. Launchpad.

User avatar
xenopeek
Level 24
Level 24
Posts: 21473
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: seeking clarity on ppa,s

Postby xenopeek » Sat Aug 26, 2017 8:25 am

As far as I know it is so far a theoretical risk (which doesn't mean it's not a real viable risk that warrants thinking about!).

It comes down to trust: do you trust the persons that compiled and packaged the software for you? Ultimately you first have to trust the developers of the software but that's another discussion.

With a PPA somebody else compiled and packaged the software for you. How do you determine whether they haven't been up to something shady like adding malware to the source code before compiling it? How do you determine trust. Do you know who they are? Are they officially associated with the project? (as developers, or have the developers named them as official maintainers on their website) Or are they active and visible in the wider free software community?

Another aspect is that some programs may need newer versions of system libraries than are in your system's official software repositories. A PPA with such a program would include the newer versions of those system libraries and that can lead to unexpected errors when some other program you use, from the official software repositories, doesn't work right with those newer versions. Such problems will be hard to pin down. So also look closely at the list of packages a PPA provides and if it is a long list, be forewarned.
Image

Madmogone
Level 2
Level 2
Posts: 59
Joined: Sat Jun 14, 2014 7:28 am

Re: seeking clarity on ppa,s

Postby Madmogone » Sun Aug 27, 2017 7:35 am

Hi all, Thanks very much for the informative answers to my question.It has cleared up a lot of queries I had and probably helped others also.This also then leads to another question:- If someone has downloaded a ppa from one of the various sites out in the wwww. (wicked world wide web, at times), what is the best method to check for vulnerabilities and will uninstalling that particular programme flush the system of any nefarious code that MAY reside on the system that came with the ppa download ?,and what is the best procedure to do this ?. I know that there will be folks out there who use ppa,s regularly and have had no problems at all but it is good practice to get newbies like myself into good practices when wanting extra programs, to ensure that they stay safe on line. I look forward to the replies,Cheers all and once again thanks.

User avatar
xenopeek
Level 24
Level 24
Posts: 21473
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: seeking clarity on ppa,s

Postby xenopeek » Sun Aug 27, 2017 8:27 am

Madmogone wrote:what is the best method to check for vulnerabilities

Let's keep terminology straight :) With vulnerabilities is generally meant bugs in the program's source code that can be exploited to make the program do something it shouldn't. A security issue. And yes, that is a third aspect to think about before using a PPA: how well is the PPA maintained? When the developers of the program fix some security issues, how long before those fixes are also made available to you through the PPA? Some PPAs are really bad in this respect, the code was just compiled once and packaged for the PPA and no updates are every made available by the maintainer.

Assuming you instead meant how to check for whether a PPA maintainer has done something shady, that's not trivial. You'd have to compare the source code in the PPA with the source code from the upstream developers and explain all the differences (like, maintainers of a PPA may backport some bugfixes and such or add 3rd party patches or needed patches to make it work on Ubuntu [which PPAs are for]). As PPAs don't implement reproducible builds (a set of software development practices that create a verifiable path from human readable source code to the binary code used by computers) even looking at the source code in the PPA doesn't give the full story.

It boils down to the general advice that you shouldn't download software from websites that you don't trust.
Image

User avatar
austin.texas
Level 20
Level 20
Posts: 11710
Joined: Tue Nov 17, 2009 3:57 pm
Location: at /home

Re: seeking clarity on ppa,s

Postby austin.texas » Sun Aug 27, 2017 10:00 am

Madmogone wrote:If someone has downloaded a ppa from one of the various sites out in the wwww. (wicked world wide web, at times), what is the best method to check for vulnerabilities

There is no "antivirus" program that can check for you, effectively, as there is in Windows.
One option is to have a current backup ("restore point" / snapshot) of your MInt OS, so that if anything goes awry, you can restore the previous configuration.
Then you have some level of protection against vulnerabilities and incompatibilities.
There are a lot of ways to do that. My choice is to use fsarchiver. TUTORIAL
Mint 18.2 Cinnamon, Quad core AMD A8-3870 with Radeon HD Graphics 6550D, 8GB DDR3, Ralink RT2561/RT61 802.11g PCI
Linux Linx 2017

Hoser Rob
Level 9
Level 9
Posts: 2893
Joined: Sat Dec 15, 2012 8:57 am

Re: seeking clarity on ppa,s

Postby Hoser Rob » Sun Aug 27, 2017 10:35 am

How to check ppas for vulnerabilities? As mentioned it's not like running an AV program, and many hacks have zero to do with viruses.

As I said, only use ppas from the host site. Not crap blogs. I don't trust most of them. Pjotr's is a rare exception. Most of the people who run those blogs know more about raising their Google search ranking than Linux.

Breaking things is a bigger issue than security with non repo software.

People used to WIndows are used to installing with one click. Well, that's too easy. One reason you couldn't get a virus in Linux just by clicking an email attaachment even if it was a Linux virus.

As a result, many new users don't read the text that comes up when they install. If it says it's going to remove a package that isn't part of the app, I'm not going to install it. It's a sign that the app wants to install a library that conflicts with an existing one.

Sztolarsik
Level 1
Level 1
Posts: 12
Joined: Sun Feb 12, 2017 7:55 pm

Re: seeking clarity on ppa,s

Postby Sztolarsik » Sun Aug 27, 2017 11:06 am

There is no such thing as a perfectly trustworthy download site (not even the official repositories). Even if the people running the PPA are totally trustworthy, someone may have hacked them. Think about it - if even US government systems and large corporations get routinely hacked despite all of their resources, is it reasonable to assume the official repository or someone's PPA is always safe?

The Linux community is generally better off for several reasons. We're a smaller target just because there are fewer Linux users out there, Mint is configured to request a password for privileged commands, & we routinely update our software while on the commercial site the cost often holds you back (I know people who are still running Windows Vista). But if you are looking for perfect security, it just ain't there.

I use PPAs routinely for a few applications that I really want or need: specialized mathematics software that is like never updated in the official repositories, my printer's manufacturer, Google Chrome, etc. For deb files that I download individually, I like to check them on https://www.virustotal.com (which is a damn awesome site, if you ask me).

Have I gotten burned? Yes, absolutely. My system got hosed trying to run the latest LibreOffice. Those are great folks but I went too far out onto the cutting edge and the only way that I could recover was to re-install the OS. But, hey, that is one of the coolest things about Linux Mint: reinstalling from the ISO is trivially easy as long as your home is on a separate partition.

Another thing I recommend is to do staggered backups. You don't have to be as paranoid as I am (I have a dozen external backup disks and also keep backups off-site just in case my house burns down or something). But, again, rsync-ing your /home to an external drive is soooo much easier than trying to do a backup under Windows; why not make use of it?

Petermint
Level 4
Level 4
Posts: 309
Joined: Tue Feb 16, 2016 3:12 am

Re: seeking clarity on ppa,s

Postby Petermint » Mon Oct 16, 2017 9:11 pm

You want the latest release of Darktable. The Darktable web site directs you to a PPA. That is probably safe. http://www.darktable.org/install/

Any other type of recommendation for a PPA could be bad. You need to know the background of the person recommending a PPA.

You also need to know what is in the PPA. I tested a PPA to get exactly one application updated. The PPA changed Python and everything using Python. Things went forward and backward. There was so much installed, I am surprised it did not include Clippy.

Phalcon installs from a Phalcon specific repository. I have some other things installed from the Debian testing repository. Debian testing is set to priority zero so nothing installs from there automatically. I can then manually select a package specifically from that repository.

PPAs are my last choice unless specifically recommended in the Install page of the application's Web site or by someone I know.


Return to “Non-technical Questions”