Pjotr wrote:So the question is: how can this potential risk be mitigated?
Not at all.
PPAs do exist just as downloads do exist. If the user wants the one or other, he will do this. The only option would be to do as the prayer in the desert; if somebody hears at you is without your influence.
Saying that there is also to say, that not every PPA is to be evaluated equally; in other words, the risk of 2 different PPAs are probably very different.
Take as example the PPA Oracle itself provides for VirtualBox. Assuming that their servers do not get hacked - no server can be given a 100 % guarantee against that - and that Oracle did not make a major fault in their software, this PPA is supposedly as safe as the official repository. Although this PPA is not an official Mint / Ubuntu repository, it is an official Oracle repository.
This means, you cannot set every PPA equal to each other in regard of Clems blog.
What theoretically could be imagined would be a kind of audit for PPAs. I doubt that this is practically doable and I don't know who would be ready to do so. As all PPAs, which are applicable for the Main edition, are at the end for the Ubuntu OS (at least those that I know), this would most likely have to be done by Canonical. I don't think that they will do this and if they would they could also add the audited software into their own repository.
So at the end:
You can tell users to be careful by using PPA, as you can tell them to be careful with mail-attachments or with clicking every link they find, and so on, but there your options are at the end.
Regarding Clem's blog: I am not really sure, how to understand this passage. The respective paragraph starts with gufw and it ends with gufw and in the middle come remarks about 3rd party software and scanners; I don't understand this relationship. He wrote that he will look into that, but I don't understand this in the sense, that he has already a doable plan.
What I could imagine in regard of sources, which at first offer for months legitimate packages and than suddenly spread malware, is a further distinction in the update manager, if an offered package comes from an official repository or from a private one. At now it is near to impossible for the user to tell this from inside the update manager.
If this brings much without the above mentioned, but unlikely audit is the question, but it could be an option.
Quite another idea in regard of what cholq wrote about user's who don't regularly (or at all) read blogs and posts:
The update manager could get an enhancement, which shows in case a message by the notification system of Mint, where the user could directly click a link to go to the blog. If this would already exist, the mass-email we have got a few days ago would not have been necessary. So it would have saved the team much work for sending those mails without the risk that they get filtered out at the receiver side as spam. And also the problem, killer de bug reported
here, would not exist.
BTW - and don't forget, that questions about security do not start and do not end with questions about PPA - such an enhancement could also be used to give the user with an outdated system a message that he has to upgrade his system in the next weeks or months. Of course this cannot help for the still existing Mint 16 and below systems, but it could be useful in the next year for Mint 13 systems, if this would be implemented.
Of course there should be an option in the system settings or in the update manager settings to not show such message - some user don't feel comfortable with that.
