PPA's: the main security Achilles' heel?

[thom_A]

Anyone using Grub Customizer?

I'm getting my third update which show up along with Mint updates.

Any idea what these updates all about?

[Cosmo.]

I don't use it; too much risk for problems.

Open /usr/share/doc and open the subfolder for the program. You should find a changelog or a readme (mostly inside of an archive file) inside.

[MintBean]

I'm hoping that the ability to use snap packages will be implemented in Mint at some stage and if this is the case, it will alleviate one major reason for PPA use- that being to get more up-to-date versions of software than in the repositories.

[Portreve]

In his February monthly news, Clem has expressed concerns about the potential security risk of PPA's:
http://blog.linuxmint.com/?p=3007 ...

Pjotr:

While I understand your concerns and intentions, I'm sad to say I think what you're kind of proposing is — of necessity — a sort of "nanny state" which, no matter how well-intentioned, does not work and will ultimately either be ignored by people or simply drive people away through unintended irritation.

“I wanted a better operating system than Windows,” begins the train of thought of, well, technically any GNU+Linux convert from the Microsoft world, “but my computer / my personal identity / all the cheese in my house got hijacked anyhow with this stupid Linux thing” (and therefore) “Linux isn't really any better than Windows, so f*** it” goes the train of thought of those who aren't knowledgeable enough, frankly, for their own good. And therein lies the true problem: an absence of personal responsibility which no external power can ever truly mandate into existence.

I don't believe this is a "problem" in the classical sense which "can be solved" in the generally understood meaning of the phrase. The only thing which really can be done is education. But, like anything else, if people choose to remain ignorant or malinformed / disinformed / misinformed, then there's not much you can do. Besides, it's not like this is some kind of public policy issue, like science and the global environment, marriage equality, or whether we should fund NASA's or the NSF's budgets, right?

Or, as Vsauce's Michael Stevens often likes to ponder, is it?

Many GNU+Linux distros have splash screens and related information pages attached to the setup-and-installation process. The top distros for the lay public to use (Fedora, SuSE, Ubuntu, LinuxMint, etc.) go beyond that by having full-on slideshow presentations. There is a compelling argument, I believe, to be made for taking that opportunity to educate the user about relevant security issues, like the use of PPAs, and an opportunity to extend something like a gracious version of customer service to the person installing the software.

Also, given that in a great many cases, the person doing the installation is not the owner of the computer, this can be followed up with, and buttressed by, some initial information pages which appear on the desktop at every log-in, until such time as the user chooses to dismiss them permanently. Could said installer of GNU+Linux essentially sabotage this process by permanently dismissing these pages him- or herself "on behalf of" the computer's owner? Sure. This is the real world. People do things on behalf of others, for better or worse, all the time. You simply cannot stop that.

Again, this does ultimately go back to the issue of personal responsibility. And, frankly, if someone decides, philosophically speaking, to march their a** off the edge of a cliff, then that's what they're going to do. Es ist was es ist.

Something LinuxMint (and, to be fair, other distros as well) already does which I think is great is to have the default setup in Firefox be what it presently is, with links to LinuxMint-related resources. Put all the resources out there at the user's fingertips. Maybe even have as part of the default desktop background image a non-obnoxious link to LinuxMint's home.

But, above all, here's two points I'd like to make when it comes to giving warnings of any kind:

NEVER, EVER GIVE A WARNING WITHOUT A CLEAR EXPLANATION.

and

NEVER, EVER FORGET WHAT DEMOGRAPHIC YOUR AUDIENCE IS A PART OF.

There you have it: my 2¢ on the subject.

[Pjotr]

@Portreve: I'm not trying to introduce a "nanny state".... Just identifying and discussing real risks.

This might help those who are interested in creating and maintaining a secure and stable system. For those who don't give a damn, well, it's a free world.

[RichardFreeman]

By definition, a PPA is a security risk because malicious code can be injected at any time.
Theoretically, you'd have to check the source on every update. Nobody does this, I suppose.

Also, by definition, installing software from a PPA can break your system, thus it is a risk of stability.

I won't and can't offer a solution regarding these problems.

Of course, there are risks which can be addressed:

• 1) PPA has not been updated for a long time
  2) PPA is distributed by maleficent owner
  3) PPA is not functioning properly

Solution:

• - display PPA stats when PPA is added (i.e. number of users/downloads, last update, ...) which indicate a trustworthy PPA
  - enable reviews and introduce a star rating (see Software center)

Of course, all of this can achieved by the user of the PPA himself.
The idea is to provide this information instead of trusting the user to know how to get this information.

[bad medicine]

Solution:

• - display PPA stats when PPA is added (i.e. number of users/downloads, last update, ...) which indicate a trustworthy PPA
  - enable reviews and introduce a star rating (see Software center)

Of course, all of this can achieved by the user of the PPA himself.
The idea is to provide this information instead of trusting the user to know how to get this information.

As a newbie, this whole PPA business is the most difficult to navigate. I read "stay away from PPA's" and then when faced with a problem the solution is often software from a PPA (Firejail is a good example). How does a newbie know when a PPA is safe, and when a specific program is safe?

[Pjotr]

As a newbie, this whole PPA business is the most difficult to navigate. I read "stay away from PPA's" and then when faced with a problem the solution is often software from a PPA (Firejail is a good example). How does a newbie know when a PPA is safe, and when a specific program is safe?

You can never be really sure about PPA's, but these are good practices to estimate their trustworthiness:

- Who is the maintainer of the PPA? Just one anonymous individual, or a crew of people with a good reputation (check their contributions by means of their Launchpad profile)?

- Is the PPA dead or actively maintained (check the latest code contributions)?

- Ask on a forum like this, whether the dwellers here have experience with that particular PPA.

But most importantly: only use a PPA when *really* necessary, when it's needed to solve a serious problem. Not just to have the latest version of application X because it's so new and shiny....

[thom_A]

As a newbie, this whole PPA business is the most difficult to navigate. I read "stay away from PPA's" and then when faced with a problem the solution is often software from a PPA (Firejail is a good example). How does a newbie know when a PPA is safe, and when a specific program is safe?

Excellent point.

I've mentioned that I've been using Grub Customizer ever since I discovered it, just shortly after installing or committing to adding a Linux distro onto my multi-boot system. That was about a year ago. I have lost track of how many times I have installed, uninstalled Mint flavors, not to mention other distros. Probably hundreds.

It's a simple program. It allows you to clean up the boot entries, reorder them any order you want. It's an essential program that should have been part of any Linux distro. A program that newbies would almost be sure of looking. But it's not. You have to look for it and grab it as a PPA.

[thom_A]

wrong edit.

[bad medicine]

If programs are deemed "safe" by whoever deems such things (again I'll use Firejail as example), why can't they be included in the Mint repository? Is it copyright, or other reason? Is the Mint repository only for software written by the Mint team? (whoever they may be...)

[Pjotr]

If programs are deemed "safe" by whoever deems such things (again I'll use Firejail as example), why can't they be included in the Mint repository? Is it copyright, or other reason? Is the Mint repository only for software written by the Mint team? (whoever they may be...)

Firejail is too new for Ubuntu 14.04 / Mint 17.x, so you have to use a PPA. But it's present in the official repo's of Ubuntu 16.04 / the upcoming Mint 18: in the Universe repo, to be exact.

The Mint repo is generally for Mint-only stuff. What makes its way into the Ubuntu repo's, is decided by Canonical (the repo Main) or by the MOTU's (the repo's Universe and Multiverse).

[thom_A]

Furthermore, no less important: how can we raise awareness among Linux Mint users, that they should be critical and restrictive about the PPA's they want to add?

This statement is pointless for reasons already mentioned. Until there are alternatives, users won't be shying away from PPAs anytime soon.

[Pjotr]

Furthermore, no less important: how can we raise awareness among Linux Mint users, that they should be critical and restrictive about the PPA's they want to add?

This statement is pointless for reasons already mentioned. Until there are alternatives, users won't be shying away from PPAs anytime soon.

On the contrary, *your* statement is fully pointless...

I'm not talking about staying away from PPA's in all cases. I'm talking about educating the users to be restrictive and critical with them, so that they only use PPA's whenever they *really* need them.

People should learn not to be "click cattle" (Windows) nor "PPA cattle" (Mint). They should be educated to use the little grey cells on top of their neck.

[bad medicine]

As a newbie, this whole PPA business is the most difficult to navigate. I read "stay away from PPA's" and then when faced with a problem the solution is often software from a PPA (Firejail is a good example). How does a newbie know when a PPA is safe, and when a specific program is safe?

You can never be really sure about PPA's, but these are good practices to estimate their trustworthiness:

- Who is the maintainer of the PPA? Just one anonymous individual, or a crew of people with a good reputation (check their contributions by means of their Launchpad profile)?

- Is the PPA dead or actively maintained (check the latest code contributions)?

- Ask on a forum like this, whether the dwellers here have experience with that particular PPA.

But most importantly: only use a PPA when *really* necessary, when it's needed to solve a serious problem. Not just to have the latest version of application X because it's so new and shiny....

I can't print double-sided in Mint. I wouldn't call it a serious problem because I can alway do it in Windows (well maybe that's the definition of a serious problem ), but since I haven't touched Windows in over a month I'd like to keep that streak going. In another thread, Boomaga was recommended. They linked me to https://launchpad.net/~boomaga/+archive/ubuntu/ppa

Can someone show me how to go through the steps you've outlined above for this ppa? I don't know how to answer those questions (other than asking the forum for opinions) in order to evaluate the program or ppa. From what I can glean it looks like a single program ppa written by a single person, who may be very reliable but I don't know that.

[Portreve]

In most cases, things I have had to set up a PPA for are now available directly. I think I've only got a couple, for like maybe HP (if it sets up a PPA, not sure) and I really can't think of anything else right this second. But it used to be I'd have to set up a bunch of PPAs (like 5 or 6) to get everything installed that I want.