PPA's: the main security Achilles' heel?
Forum rules
Do not post support questions here. Before you post read the forum rules. Topics in this forum are automatically closed 6 months after creation.
Do not post support questions here. Before you post read the forum rules. Topics in this forum are automatically closed 6 months after creation.
Re: PPA's: the main security Achilles' heel?
Anyone using Grub Customizer?
I'm getting my third update which show up along with Mint updates.
Any idea what these updates all about?
I'm getting my third update which show up along with Mint updates.
Any idea what these updates all about?
Re: PPA's: the main security Achilles' heel?
I don't use it; too much risk for problems.
Open /usr/share/doc and open the subfolder for the program. You should find a changelog or a readme (mostly inside of an archive file) inside.
Open /usr/share/doc and open the subfolder for the program. You should find a changelog or a readme (mostly inside of an archive file) inside.
Re: PPA's: the main security Achilles' heel?
I'm hoping that the ability to use snap packages will be implemented in Mint at some stage and if this is the case, it will alleviate one major reason for PPA use- that being to get more up-to-date versions of software than in the repositories.
- Portreve
- Level 13
- Posts: 4870
- Joined: Mon Apr 18, 2011 12:03 am
- Location: Within 20,004 km of YOU!
- Contact:
Re: PPA's: the main security Achilles' heel?
Pjotr:Pjotr wrote:In his February monthly news, Clem has expressed concerns about the potential security risk of PPA's:
http://blog.linuxmint.com/?p=3007 ...
While I understand your concerns and intentions, I'm sad to say I think what you're kind of proposing is — of necessity — a sort of "nanny state" which, no matter how well-intentioned, does not work and will ultimately either be ignored by people or simply drive people away through unintended irritation.
“I wanted a better operating system than Windows,” begins the train of thought of, well, technically any GNU+Linux convert from the Microsoft world, “but my computer / my personal identity / all the cheese in my house got hijacked anyhow with this stupid Linux thing” (and therefore) “Linux isn't really any better than Windows, so f*** it” goes the train of thought of those who aren't knowledgeable enough, frankly, for their own good. And therein lies the true problem: an absence of personal responsibility which no external power can ever truly mandate into existence.
I don't believe this is a "problem" in the classical sense which "can be solved" in the generally understood meaning of the phrase. The only thing which really can be done is education. But, like anything else, if people choose to remain ignorant or malinformed / disinformed / misinformed, then there's not much you can do. Besides, it's not like this is some kind of public policy issue, like science and the global environment, marriage equality, or whether we should fund NASA's or the NSF's budgets, right?
Or, as Vsauce's Michael Stevens often likes to ponder, is it?
Many GNU+Linux distros have splash screens and related information pages attached to the setup-and-installation process. The top distros for the lay public to use (Fedora, SuSE, Ubuntu, LinuxMint, etc.) go beyond that by having full-on slideshow presentations. There is a compelling argument, I believe, to be made for taking that opportunity to educate the user about relevant security issues, like the use of PPAs, and an opportunity to extend something like a gracious version of customer service to the person installing the software.
Also, given that in a great many cases, the person doing the installation is not the owner of the computer, this can be followed up with, and buttressed by, some initial information pages which appear on the desktop at every log-in, until such time as the user chooses to dismiss them permanently. Could said installer of GNU+Linux essentially sabotage this process by permanently dismissing these pages him- or herself "on behalf of" the computer's owner? Sure. This is the real world. People do things on behalf of others, for better or worse, all the time. You simply cannot stop that.
Again, this does ultimately go back to the issue of personal responsibility. And, frankly, if someone decides, philosophically speaking, to march their a** off the edge of a cliff, then that's what they're going to do. Es ist was es ist.
Something LinuxMint (and, to be fair, other distros as well) already does which I think is great is to have the default setup in Firefox be what it presently is, with links to LinuxMint-related resources. Put all the resources out there at the user's fingertips. Maybe even have as part of the default desktop background image a non-obnoxious link to LinuxMint's home.
But, above all, here's two points I'd like to make when it comes to giving warnings of any kind:
NEVER, EVER GIVE A WARNING WITHOUT A CLEAR EXPLANATION.
and
NEVER, EVER FORGET WHAT DEMOGRAPHIC YOUR AUDIENCE IS A PART OF.
There you have it: my 2¢ on the subject.
Flying this flag in support of freedom 🇺🇦
Recommended keyboard layout: English (intl., with AltGR dead keys)
Podcasts: Linux Unplugged, Destination Linux
Also check out Thor Hartmannsson's Linux Tips YouTube Channel
Recommended keyboard layout: English (intl., with AltGR dead keys)
Podcasts: Linux Unplugged, Destination Linux
Also check out Thor Hartmannsson's Linux Tips YouTube Channel
- Pjotr
- Level 24
- Posts: 20140
- Joined: Mon Mar 07, 2011 10:18 am
- Location: The Netherlands (Holland) 🇳🇱
- Contact:
Re: PPA's: the main security Achilles' heel?
@Portreve: I'm not trying to introduce a "nanny state".... Just identifying and discussing real risks.
This might help those who are interested in creating and maintaining a secure and stable system. For those who don't give a damn, well, it's a free world.
This might help those who are interested in creating and maintaining a secure and stable system. For those who don't give a damn, well, it's a free world.
Tip: 10 things to do after installing Linux Mint 21.3 Virginia
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.
-
- Level 1
- Posts: 17
- Joined: Sat Feb 21, 2015 12:13 pm
Re: PPA's: the main security Achilles' heel?
By definition, a PPA is a security risk because malicious code can be injected at any time.
Theoretically, you'd have to check the source on every update. Nobody does this, I suppose.
Also, by definition, installing software from a PPA can break your system, thus it is a risk of stability.
I won't and can't offer a solution regarding these problems.
Of course, there are risks which can be addressed:
The idea is to provide this information instead of trusting the user to know how to get this information.
Theoretically, you'd have to check the source on every update. Nobody does this, I suppose.
Also, by definition, installing software from a PPA can break your system, thus it is a risk of stability.
I won't and can't offer a solution regarding these problems.
Of course, there are risks which can be addressed:
- 1) PPA has not been updated for a long time
2) PPA is distributed by maleficent owner
3) PPA is not functioning properly
- - display PPA stats when PPA is added (i.e. number of users/downloads, last update, ...) which indicate a trustworthy PPA
- enable reviews and introduce a star rating (see Software center)
The idea is to provide this information instead of trusting the user to know how to get this information.
-
- Level 4
- Posts: 431
- Joined: Mon Mar 28, 2016 9:13 am
Re: PPA's: the main security Achilles' heel?
RichardFreeman wrote:
Solution:Of course, all of this can achieved by the user of the PPA himself.
- - display PPA stats when PPA is added (i.e. number of users/downloads, last update, ...) which indicate a trustworthy PPA
- enable reviews and introduce a star rating (see Software center)
The idea is to provide this information instead of trusting the user to know how to get this information.
As a newbie, this whole PPA business is the most difficult to navigate. I read "stay away from PPA's" and then when faced with a problem the solution is often software from a PPA (Firejail is a good example). How does a newbie know when a PPA is safe, and when a specific program is safe?
Thinkpad T410 Mint 19.3 Cinnamon
- Pjotr
- Level 24
- Posts: 20140
- Joined: Mon Mar 07, 2011 10:18 am
- Location: The Netherlands (Holland) 🇳🇱
- Contact:
Re: PPA's: the main security Achilles' heel?
You can never be really sure about PPA's, but these are good practices to estimate their trustworthiness:bad medicine wrote:As a newbie, this whole PPA business is the most difficult to navigate. I read "stay away from PPA's" and then when faced with a problem the solution is often software from a PPA (Firejail is a good example). How does a newbie know when a PPA is safe, and when a specific program is safe?
- Who is the maintainer of the PPA? Just one anonymous individual, or a crew of people with a good reputation (check their contributions by means of their Launchpad profile)?
- Is the PPA dead or actively maintained (check the latest code contributions)?
- Ask on a forum like this, whether the dwellers here have experience with that particular PPA.
But most importantly: only use a PPA when *really* necessary, when it's needed to solve a serious problem. Not just to have the latest version of application X because it's so new and shiny....
Tip: 10 things to do after installing Linux Mint 21.3 Virginia
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.
Re: PPA's: the main security Achilles' heel?
Excellent point.bad medicine wrote: As a newbie, this whole PPA business is the most difficult to navigate. I read "stay away from PPA's" and then when faced with a problem the solution is often software from a PPA (Firejail is a good example). How does a newbie know when a PPA is safe, and when a specific program is safe?
I've mentioned that I've been using Grub Customizer ever since I discovered it, just shortly after installing or committing to adding a Linux distro onto my multi-boot system. That was about a year ago. I have lost track of how many times I have installed, uninstalled Mint flavors, not to mention other distros. Probably hundreds.
It's a simple program. It allows you to clean up the boot entries, reorder them any order you want. It's an essential program that should have been part of any Linux distro. A program that newbies would almost be sure of looking. But it's not. You have to look for it and grab it as a PPA.
Last edited by thom_A on Tue Apr 26, 2016 11:53 am, edited 7 times in total.
Re: PPA's: the main security Achilles' heel?
wrong edit.
-
- Level 4
- Posts: 431
- Joined: Mon Mar 28, 2016 9:13 am
Re: PPA's: the main security Achilles' heel?
If programs are deemed "safe" by whoever deems such things (again I'll use Firejail as example), why can't they be included in the Mint repository? Is it copyright, or other reason? Is the Mint repository only for software written by the Mint team? (whoever they may be...)
Thinkpad T410 Mint 19.3 Cinnamon
- Pjotr
- Level 24
- Posts: 20140
- Joined: Mon Mar 07, 2011 10:18 am
- Location: The Netherlands (Holland) 🇳🇱
- Contact:
Re: PPA's: the main security Achilles' heel?
Firejail is too new for Ubuntu 14.04 / Mint 17.x, so you have to use a PPA. But it's present in the official repo's of Ubuntu 16.04 / the upcoming Mint 18: in the Universe repo, to be exact.bad medicine wrote:If programs are deemed "safe" by whoever deems such things (again I'll use Firejail as example), why can't they be included in the Mint repository? Is it copyright, or other reason? Is the Mint repository only for software written by the Mint team? (whoever they may be...)
The Mint repo is generally for Mint-only stuff. What makes its way into the Ubuntu repo's, is decided by Canonical (the repo Main) or by the MOTU's (the repo's Universe and Multiverse).
Tip: 10 things to do after installing Linux Mint 21.3 Virginia
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.
Re: PPA's: the main security Achilles' heel?
This statement is pointless for reasons already mentioned. Until there are alternatives, users won't be shying away from PPAs anytime soon.Pjotr wrote:Furthermore, no less important: how can we raise awareness among Linux Mint users, that they should be critical and restrictive about the PPA's they want to add?
- Pjotr
- Level 24
- Posts: 20140
- Joined: Mon Mar 07, 2011 10:18 am
- Location: The Netherlands (Holland) 🇳🇱
- Contact:
Re: PPA's: the main security Achilles' heel?
On the contrary, *your* statement is fully pointless...thom_A wrote:This statement is pointless for reasons already mentioned. Until there are alternatives, users won't be shying away from PPAs anytime soon.Pjotr wrote:Furthermore, no less important: how can we raise awareness among Linux Mint users, that they should be critical and restrictive about the PPA's they want to add?
I'm not talking about staying away from PPA's in all cases. I'm talking about educating the users to be restrictive and critical with them, so that they only use PPA's whenever they *really* need them.
People should learn not to be "click cattle" (Windows) nor "PPA cattle" (Mint). They should be educated to use the little grey cells on top of their neck.
Tip: 10 things to do after installing Linux Mint 21.3 Virginia
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.
-
- Level 4
- Posts: 431
- Joined: Mon Mar 28, 2016 9:13 am
Re: PPA's: the main security Achilles' heel?
I can't print double-sided in Mint. I wouldn't call it a serious problem because I can alway do it in Windows (well maybe that's the definition of a serious problem ), but since I haven't touched Windows in over a month I'd like to keep that streak going. In another thread, Boomaga was recommended. They linked me to https://launchpad.net/~boomaga/+archive/ubuntu/ppaPjotr wrote:You can never be really sure about PPA's, but these are good practices to estimate their trustworthiness:bad medicine wrote:As a newbie, this whole PPA business is the most difficult to navigate. I read "stay away from PPA's" and then when faced with a problem the solution is often software from a PPA (Firejail is a good example). How does a newbie know when a PPA is safe, and when a specific program is safe?
- Who is the maintainer of the PPA? Just one anonymous individual, or a crew of people with a good reputation (check their contributions by means of their Launchpad profile)?
- Is the PPA dead or actively maintained (check the latest code contributions)?
- Ask on a forum like this, whether the dwellers here have experience with that particular PPA.
But most importantly: only use a PPA when *really* necessary, when it's needed to solve a serious problem. Not just to have the latest version of application X because it's so new and shiny....
Can someone show me how to go through the steps you've outlined above for this ppa? I don't know how to answer those questions (other than asking the forum for opinions) in order to evaluate the program or ppa. From what I can glean it looks like a single program ppa written by a single person, who may be very reliable but I don't know that.
Thinkpad T410 Mint 19.3 Cinnamon
- Portreve
- Level 13
- Posts: 4870
- Joined: Mon Apr 18, 2011 12:03 am
- Location: Within 20,004 km of YOU!
- Contact:
Re: PPA's: the main security Achilles' heel?
In most cases, things I have had to set up a PPA for are now available directly. I think I've only got a couple, for like maybe HP (if it sets up a PPA, not sure) and I really can't think of anything else right this second. But it used to be I'd have to set up a bunch of PPAs (like 5 or 6) to get everything installed that I want.
Flying this flag in support of freedom 🇺🇦
Recommended keyboard layout: English (intl., with AltGR dead keys)
Podcasts: Linux Unplugged, Destination Linux
Also check out Thor Hartmannsson's Linux Tips YouTube Channel
Recommended keyboard layout: English (intl., with AltGR dead keys)
Podcasts: Linux Unplugged, Destination Linux
Also check out Thor Hartmannsson's Linux Tips YouTube Channel