Ubuntu – How to investigate/confirm the identity of a PPA maintainer (e.g., Chromium Team)

communitypackagingppaSecuritysoftware-sources

The Chromium Stable PPA (as found here: ppa:chromium-daily/stable) is maintained by Chromium Team (https://launchpad.net/~chromium-team). I assume this is "Google's" Chromium developers? If so, I would assume this PPA is very safe and trustworthy.

But is there a specific procedure or method of investigation that I should/can do to confirm the identity of the maintainer? As I understand it (or at least have read), anyone can create a "Chromium Team" PPA. For safety and security, I'd like to learn how to confirm the identity of PPA maintainers, especially "big name" maintainers like Google or Mozilla.

Best Answer

The "Chromium Team" in Launchpad are Ubuntu developers, not Google developers (except for one, who works on Chromium at Google). You can see this by looking at the team's membership:

https://launchpad.net/~chromium-team/+members#active

The way you would determine if upstream maintainers are active in a team is to see if you recognize names (or email addresses). For the large projects like Mozilla and Chrome where Ubuntu developers work with their respective upstream generally speaking I trust them.

For example the team that runs the Firefox PPA is the same team that maintains Firefox in the distribution, and the team that maintains the Chromium PPA is also the same team that maintains Chromium in the distro.

There's really no way to determine how "trustworthy" a PPA is on a glace (Which is why most people will usually recommend not trusting them by default). Currently there is no real way for you to know just how "official" a PPA is unless it's explicitly mentioned by an upstream as trustworthy (see how XBMC recommends a PPA in that link) or you recognize the people in a team. In Open Source since everything is done in the open trust is something that is earned by people based on behavior. For example I trust someone who works at Mozilla to write my browser and I trust someone who is an Ubuntu developer to package it properly since both organizations have a model of peer review.

Individual PPAs are another matter, there's no guarantee that they won't break anything, but that doesn't mean every one is automatically bad. Chris talks about this a bit about PPA security in this answer:

Which Ubuntu repositories are totally safe and free from malware?

Related Solutions

Ubuntu – How to get a patch applied to a package, when the upstream maintainer does not seem active

The patch can be submitted in from of a bug report, or if a report of the issue already exists , as an comment at launchpad. Please make sure to mark the uploaded file as a patch (there is a checkbox for that), because this will make it easier for us to find patches.

Command-Line – How to (De)Activate a PPA with a Single Command

Even a simpler script to toggle between activating or deactivating a particular ppa. Save the code given below in a file, for instance toggle_ppa.sh.

#!/bin/bash
#
# toggle_ppa.sh
#
# created by souravc (https://askubuntu.com/users/127327/)
# modified by Glutanimate (https://askubuntu.com/users/81372/)
#
# originally released at https://askubuntu.com/q/383605/81372
#
# DESCRIPTION:  Detects if a PPA is active/inactive and deactivates/activates it
#               on user confirmation.
#
# USAGE:        toggle_ppa.sh ppa:launchpaduser/ppaname

### VARIABLES

SOURCEDIRECTORY=/etc/apt/sources.list.d
PPA="$1"

### USAGE CHECKS

## Arguments

if [ -z "$PPA" ]
then
    echo "Error: Please provide a PPA name to toggle between activation/deactivation"
    echo "The PPA name should be formatted as it appears on launchpad, e.g.:
"$0" ppa:webupd8team/y-ppa-manager"
    exit 1
fi

## Root privileges

if [ "$(whoami)" != "root" ]; then
  echo "Error: This script needs root privileges. Restarting..."
  sudo "$0" "$1"
  exit
fi

### MAIN

SOURCELIST_NOPFX="${PPA#*:}" #remove 'ppa:' prefix
SOURCELIST="${SOURCELIST_NOPFX////-}"-$(lsb_release -cs) #replace all slashes with dashes, include release
SOURCEFILE="$SOURCEDIRECTORY"/"$SOURCELIST".list #compose sources list path

if [ -e "$SOURCEFILE" ]
then
    echo "Processing $SOURCEFILE..."
    SOURCE_COMMENTED=$(grep "^\#deb\ " "$SOURCEFILE") #check if sources line is commented
    if [ -z "$SOURCE_COMMENTED" ]
    then
        echo "$PPA is active. Going to deactivate. Proceed? [ y/n ]"
        read ANSWER
        if [ $ANSWER == "y" ]
        then
            sed -i "s/^deb\-src/\#deb\-src/" $SOURCEFILE
            sed -i "s/^deb\ http/\#deb\ http/" $SOURCEFILE
            echo "Updating package index files..."
            sudo apt-get update
            echo "Done."
        else
            echo "Aborted."
            exit 0
        fi
    else
        echo "$PPA is inactive. Going to activate. Proceed? [ y/n ]"
        read ANSWER
        if [ $ANSWER == "y" ]
        then
            sed -i "s/^\#deb\-src/deb\-src/" $SOURCEFILE
            sed -i "s/^\#deb\ http/deb\ http/" $SOURCEFILE
            echo "Updating package index files..."
            sudo apt-get update
            echo "Done."
        else
            echo "Aborted."
            exit 0
        fi
    fi
else
    echo "Error: Source file at $SOURCEFILE for $PPA does not exist. Please check PPA name."
    exit 0
fi

Follow the procedure given at the other answer to keep file in PATH and make it executable.

Usage

sudo toggle_ppa.sh <full-ppa-name>

Example

sudo toggle_ppa.sh ppa:webupd8team/java

How it works

The working principle of this code is the same as in my other answer. The code acts in a very interactive manner. When someone runs this along with ppa name as its argument, it will display the PPA's current status and what the code is going to do on successful execution. Then it will ask permission of the user. Only if the user inputs 'y' to confirm the code will change the status of the PPA and activate/deactivate it. It will immediately abort if the user puts an 'n' for no.