Thursday, October 5, 2017

security - Are PPAs safe to add to my system and what are some "red flags" to watch out for?



I see a lot of interesting programs out there that can only be obtained by adding a "PPA" to the system but, if I'm understanding correctly, we should stay within the official "repositories" for adding software to our system.




Is there any way for a novice to know if a "PPA" is safe or if it should be avoided? What tips should the user know about when dealing with a PPA?.



PPA (Personal Package Archive) are used to include a specific software to your Ubuntu, Kubuntu or any other PPA compatible distro. The "safeness" of a PPA depends mostly on 3 things:




  1. Who made the PPA - An official PPA from WINE or LibreOffice like ppa:libreoffice/ppa and a PPA that I created myself are not the same. You do not know me as a PPA maintainer, so the trust issue and safety is VERY low for me (Since I could have made a corrupted package, incompatible package or anything else bad), but for LibreOffice and the PPA they offer in their website, THAT gives a certain safety net to it. So depending on who made the PPA, how long he or she has been making and maintaining the PPA will influence a little bit on how safe the PPA is for you. PPA's as mentioned above in the comments are not certified by Canonical.


  2. How many users have used the PPA - For example, I have a PPA from http://winehq.org in my personal PPA. Would you trust ME with 10 users that confirm using my PPA having 6 of them saying it sucks than to the one Scott Ritchie offers as ppa:ubuntu-wine/ppa in the official winehq website. It has thousands of users (including me) that use his PPA and trust his work. This is work that has several years behind it.


  3. How updated the PPA is - Let us say you are using Ubuntu 10.04 or 10.10, and you want to use THAT special PPA. You find out that the last update to that PPA was 20 years ago.. O.o. The chances you have on using THAT PPA are null. Why?. Because the package dependencies that PPA needs are very old and maybe the updated ones change so much code that they wont work with the PPA and possibly break your system if you install any of the packages of that PPA to your system.



    How updated a PPA influences the decision to use it if he/she wants to use THAT PPA. If not they would rather go look for another one more up to date. You do not want Banshee 0.1 or Wine 0.0.0.1 or OpenOffice 0.1 Beta Alpha Omega Thundercat Edition with the latest Ubuntu. What you want is a PPA that is updated to your current Ubuntu. Remember that a PPA mentions for what Ubuntu version is made for or multiple Ubuntu versions was made for.




    As an example of this here is an image of the versions that are supported in the Wine PPA:



    enter image description here



    Here you can see that this PPA is supported since Dinosaurs.



    One BAD thing about how updated a PPA is, if the PPA maintainer tends to push into the PPA the latest, greatest and cutting edge version of a specific package. The down side of this is that if you are going to test the latest of something, you ARE going to find some bugs. Try to stick with PPAs that are updated to a stable version and not a unstable, testing or dev version since it might/will contain bugs. The idea of having the latest is also to TEST and say what problems were found and solve them. An example of this are the daily Xorg PPAs and Daily Mozilla PPAs. You will get about 3 daily updates for X.org or Firefox if you get the dailies. This is because of the work the put in there and if you are using their daily PPAs it means you want to help with bug hunting or development and NOT for a production environment.





Basically stick with this 3 and you will be safe. Always look for the maker/maintainer of the PPA. Always see if many users have used it and always see how updated the PPA is. Places like OMGUbuntu, Phoronix, Slashdot, The H, WebUp8 and even here in AskUbuntu are good sources to find many users and articles talking about and recommending some PPAs that they have tested.



Stable PPA Examples - LibreOffice, OpenOffice, Banshee, Wine, Kubuntu, Ubuntu, Xubuntu, PlayDeb, GetDeb, VLC are good and safe PPAs from MY experience.



Semi Stable PPA - X-Swat PPA is a in the middle PPA between bleeding edge and stable.



Bleeding Edge PPA - Xorg-Edgers is a bleeding edge PPA although I should mention that after 12.04, this PPA has become more and more stable. I would still mark it as bleeding edge but it is stable enough for end users.



Selectable PPA - Handbrake offers here a way for the user to choose, do you want a stable version or do you want the bleeding edge (Also referred to as Snapshot) version. In this case you can select what you want to use.




Note that in the case of using for example the X-Swat ppa with the Xorg-Edgers PPA, you will get a mixed between the two (With priority towards Xorg-Edgers). This is because both are trying to include almost the same packages, so they will overwrite each other and only the most updated one will show in your repositories (Except if you manually tell it to grab the package from X-Swat).



Some PPAs might update some of your packages when you add them to your repository because they will overwrite with their own version a certain package to make the PPA software work on your system correctly. This might be some code packages, python versions, etc.. Other like the LibreOffice PPA will remove all existence of the OpenOffice from your system to install the LibreOffice packages there. Basically read what other users have commented about a specific package and also read if the package is compatible with your Ubuntu version.



As the comment below suggest by Jeremy Bicha, some bleeding edge (PPAs that stay very up to date including adding Alpha, Beta or RC quality software in the PPA) could potentially damage your whole system (In the worst case). Jeremy mentions an example of many.


No comments:

Post a Comment

11.10 - Can't boot from USB after installing Ubuntu

I bought a Samsung series 5 notebook and a very strange thing happened: I installed Ubuntu 11.10 from a usb pen drive but when I restarted (...