I read in the news about all the malware that is infecting Android OS. The malware is in Google's App Store and people are unknowingly downloading and installing it.
As I understand, Ubuntu's Main repository is safe for me to download from (I won't be infected with malware from doing so) because Canonical engineers review the software. But what about other repos, most notably the Universe repository? Does the Universe repo receive any sort of review to protect from malware? Is it advisable to avoid the Universe repo for fear of unknowingly downloading malware from it?
I've read PPAs are particularly dangerous because they are not reviewed. I'm assuming it is perfectly safe to use the Google Chrome PPA however.
So if I use nothing but the Main & Universe repositories and Google Chrome PPA, will I be protected from unknowingly downloading malware?
If Ubuntu does gain hundreds of millions of users like Mark Shuttleworth predicts, won't Ubuntu PPAs become the malware problem for Ubuntu like Google's App Store is today for Android?
Best Answer
All of the official Ubuntu repositories (encompassing anything that you can find on
archive.ubuntu.comor its mirrors, as well as some others) are entirely curated. This meansmain,restricted,universe,multiverse, as well as-updatesand-security. All packages in there have either come from Debian (and so have been uploaded by a Debian Developer) or have been uploaded by an Ubuntu developer; in both cases the package that is uploaded is authenticated by the gpg signature of the uploader.You can therefore trust that every package in the official archives has been uploaded by either a Debian or Ubuntu developer. Furthermore, the packages you download can be verified by the gpg signatures on the files in the repository, so you can trust that each package you download has been built on the Ubuntu build farm from the source that was uploaded by an Ubuntu or Debian developer¹.
This makes outright malware unlikely - someone in a position of trust would need to upload it, and the upload would be easily tracable to them.
This leaves the question of more surreptitious nefariousness. Upstream developers could put backdoors into otherwise useful software and these could make it into the archive - in
universeormultiverse, depending on the license. People do run security audits of the Debian archive, so if this software became popular it's likely that the backdoor would be discovered.Packages in
mainhave some extra checking and get more love from the Ubuntu security team.PPAs have almost none of this. The guarantee you get from a PPA is that the packages you download were built on the Ubuntu build infrastructure, and were uploaded by someone with access to one of the GPG keys of the Launchpad account of the listed uploader. There's no guarantee that the uploader is who they say they are - anyone could make a “Google Chrome PPA”. You need to determine trust in some other way for PPAs.
¹: This chain of trust could be broken by an extensive intrusion into the Ubuntu infrastructure, but that's true of any system. The compromise of a developer's gpg key would also allow a black-hat to upload packages to the archive, but since the archive emails the uploader of each package this should be noticed quickly.