pparepositorySecurity
I see a lot of interesting programs out there that can only be obtained by adding a "PPA" to the system but, if I'm understanding correctly, we should stay within the official "repositories" for adding software to our system.
Is there any way for a novice to know if a "PPA" is safe or if it should be avoided? What tips should the user know about when dealing with a PPA?.
Before adding a PPA you should be aware of some of the risks involved:
Always remember that PPAs are provided by the community, you should be aware of the possible risks before just adding a PPA.
First open the dash by either clicking on the Home button (On the top-left Corner) or pressing the Super Key .
Search for 'Software Center' and launch the Ubuntu software center.
Move the mouse to the top panel where the name of the application is written.
Now Go to the Edit menu and select Software Sources.
For newer versions, right click and click Software and Updates
Then, click Other Software,
Enter your password when prompted.
Switch to the 'Other Software' tab.
Now click 'Add', a box will appear.
You have to enter the PPA in the box. It can be found in BOLD on the launchpad page.
Now click 'Add source' and close the Software Sources. The cache will be refreshed
Now install the software from the software center.
You can find a .deb file for a package somewhere on the Internet. Then you can use dpkg -i package.deb and install it. That's no better than picking up an install for Windows somewhere on the Internet. Don't do it unless you are absolutely sure of the source, and even then make sure you have all of the prerequisite packages already installed.
Deb files, safe or not, do follow a format with hashes, etc. so that they have to be rebuilt if they are changed.
Package (.deb files) in the Ubuntu repositores are generally built from source on Launchpad build computers so the contents of the .deb file matches the source, and the source can be viewed by anyone. Many packages have teams maintaining them who follow them and are on the lookout for security problems. New source package versions have to be signed properly by gpg keys using public key cryptography before they can be built.
There are now binary only packages available in the Ubuntu Software Center, so the public can't view the source of those. I don't know about these for sure, but I believe they are reviewed before they are made available.
You generally shouldn't install a package with dpkg -i package.deb, but use apt-get or the software center instead, downloading from an Ubuntu repository. You should also avoid picking up any other kind of script that you can't look at and understand completely before you run it.
The multi-user system Unix-like systems do mean that if you make a mistake you can mess up your account and its files, but not the accounts and settings of other users that have been established on the same system, nor the operating system itself.
The exception is when you run a command with sudo or have to enter a password to install a package or do other maintenance. These are the times to be very careful about the source of what you are doing. This is very similar to using UAC.
As long as you are using due care, I don't think you need to maintain programs on removable media. Like Windows, most programs are installed as packages and therefore aren't runnable from removable media (although you could put an entire Ubuntu on a flash drive if you want).
As I mentioned above, .deb files use hashes for the files they include to see that they aren't altered by an attacker. Ubuntu repositories also have gpg keys stored on your system when you install Ubuntu, and there is a signature and chain of hashes followed down to the .deb files to keep things secure. Ubuntu is derived from Debian and that project created this approach.
There are things like autorun in Linux and other Unix-like systems. When you install packages those packages can cause programs to start at boot time, or when a user logs in to a terminal, or when a user logs into a GUI session. Most users have a (hidden by default) .bashrc file in their home directories that execute when a user logs in to a terminal.
The Ubuntu download web site not only has the .iso files for CD's and DVD's but also message digests (hashes) you can check to make sure the file you retrieved is authentic down to the bit.
Despite everything else, developers make mistakes and potential security problems can creep into software. Running supported versions of Ubuntu means that you will be offered security fixes for items in the main Ubuntu repositories, and often for items in the universe and other repositories. You should apply those fixes. Long-term-support releases like 12.04 (Precise) offer this service for a longer term than other releases of Ubuntu.
I can't personally guarantee that the precautions are perfect, but I think they are pretty good for the current state of the art.
Best Answer
PPA (Personal Package Archive) are used to include a specific software to your Ubuntu, Kubuntu or any other PPA compatible distro. The "safeness" of a PPA depends mostly on 3 things:
Who made the PPA - An official PPA from WINE or LibreOffice like ppa:libreoffice/ppa and a PPA that I created myself are not the same. You do not know me as a PPA maintainer, so the trust issue and safety is VERY low for me (Since I could have made a corrupted package, incompatible package or anything else bad), but for LibreOffice and the PPA they offer in their website, THAT gives a certain safety net to it. So depending on who made the PPA, how long he or she has been making and maintaining the PPA will influence a little bit on how safe the PPA is for you. PPA's as mentioned above in the comments are not certified by Canonical.
How many users have used the PPA - For example, I have a PPA from http://winehq.org in my personal PPA. Would you trust ME with 10 users that confirm using my PPA having 6 of them saying it sucks than to the one Scott Ritchie offers as ppa:ubuntu-wine/ppa in the official winehq website. It has thousands of users (including me) that use his PPA and trust his work. This is work that has several years behind it.
How updated the PPA is - Let us say you are using Ubuntu 10.04 or 10.10, and you want to use THAT special PPA. You find out that the last update to that PPA was 20 years ago.. O.o. The chances you have on using THAT PPA are null. Why?. Because the package dependencies that PPA needs are very old and maybe the updated ones change so much code that they wont work with the PPA and possibly break your system if you install any of the packages of that PPA to your system.
How updated a PPA influences the decision to use it if he/she wants to use THAT PPA. If not they would rather go look for another one more up to date. You do not want Banshee 0.1 or Wine 0.0.0.1 or OpenOffice 0.1 Beta Alpha Omega Thundercat Edition with the latest Ubuntu. What you want is a PPA that is updated to your current Ubuntu. Remember that a PPA mentions for what Ubuntu version is made for or multiple Ubuntu versions was made for.
As an example of this here is an image of the versions that are supported in the Wine PPA:
Here you can see that this PPA is supported since Dinosaurs.
One BAD thing about how updated a PPA is, if the PPA maintainer tends to push into the PPA the latest, greatest and cutting edge version of a specific package. The down side of this is that if you are going to test the latest of something, you ARE going to find some bugs. Try to stick with PPAs that are updated to a stable version and not a unstable, testing or dev version since it might/will contain bugs. The idea of having the latest is also to TEST and say what problems were found and solve them. An example of this are the daily Xorg PPAs and Daily Mozilla PPAs. You will get about 3 daily updates for X.org or Firefox if you get the dailies. This is because of the work the put in there and if you are using their daily PPAs it means you want to help with bug hunting or development and NOT for a production environment.
Basically stick with this 3 and you will be safe. Always look for the maker/maintainer of the PPA. Always see if many users have used it and always see how updated the PPA is. Places like OMGUbuntu, Phoronix, Slashdot, The H, WebUp8 and even here in AskUbuntu are good sources to find many users and articles talking about and recommending some PPAs that they have tested.
Stable PPA Examples - LibreOffice, OpenOffice, Banshee, Wine, Kubuntu, Ubuntu, Xubuntu, PlayDeb, GetDeb, VLC are good and safe PPAs from MY experience.
Semi Stable PPA - X-Swat PPA is a in the middle PPA between bleeding edge and stable.
Bleeding Edge PPA - Xorg-Edgers is a bleeding edge PPA although I should mention that after 12.04, this PPA has become more and more stable. I would still mark it as bleeding edge but it is stable enough for end users.
Selectable PPA - Handbrake offers here a way for the user to choose, do you want a stable version or do you want the bleeding edge (Also referred to as Snapshot) version. In this case you can select what you want to use.
Note that in the case of using for example the X-Swat ppa with the Xorg-Edgers PPA, you will get a mixed between the two (With priority towards Xorg-Edgers). This is because both are trying to include almost the same packages, so they will overwrite each other and only the most updated one will show in your repositories (Except if you manually tell it to grab the package from X-Swat).
Some PPAs might update some of your packages when you add them to your repository because they will overwrite with their own version a certain package to make the PPA software work on your system correctly. This might be some code packages, python versions, etc.. Other like the LibreOffice PPA will remove all existence of the OpenOffice from your system to install the LibreOffice packages there. Basically read what other users have commented about a specific package and also read if the package is compatible with your Ubuntu version.
As the comment below suggest by Jeremy Bicha, some bleeding edge (PPAs that stay very up to date including adding Alpha, Beta or RC quality software in the PPA) could potentially damage your whole system (In the worst case). Jeremy mentions an example of many.