Saturday, November 27, 2010

Ubuntu PPA Problem - Reason for Concern?

With the release of Ubuntu 9.10 late last year Canonical introduced PPAs, which is short for Personal Package Archives. A PPA allows anyone that has signed the Ubuntu Code of Conduct to easily distribute software they have packaged to Ubuntu users. This revolutionary idea allows those who do not have the capability to establish their own repository to easily provide package updates to their users. Want the latest version of Openshot or PiTiVi? Then simply add a PPA to your system that packages up to date versions of these softwares and you will be set to go!

The problem with this system you ask? There is namely one issue: Canonical does not review any of the packages that are uploaded to PPAs. Because of this adding software from various PPAs wily nilly in reality is more dangerous than installing software on Windows. I say this because not only are you giving root access to the software upon installation, but also every time you run a system update from then after. Meaning even if a PPA provides trusted packages at first, this could change later on.

While it has not happened yet (as far as I am aware), I feel it is only a matter of time before some form of malicious code makes its way into a PPA that is used large scale. If you are comfortable with having software installed on your system from many different sources - that is your own choice (one of the many great things about FOSS). However, if you always need the latest up to date software maybe it is worth considering a rolling release distro such as LMDE or Chakra.

What is your take on this? Am I just blowing hot air and worrying for nothing or could having piles of PPAs on your system cause a potential risk down the line?

~Jeff Hoogland

20 comments:

  1. Debian testing.
    Debian-Multimedia.
    Done.

    ReplyDelete
  2. You are starting to sound like me. LOL

    I have been worrying about this for a while. It is trivial to poison the proverbial PPA well.

    ReplyDelete
  3. You might have misunderstood the role of PPA repositories. it was never meant to be an official channel for updates (bleeding edge or stable). It's for software testing at best.

    ReplyDelete
  4. Regardless of what it was intended for, that is what PPAs are being used for today.

    ReplyDelete
  5. It's not since 9.10, it's been around a lot longer than that. And I wrote about the same worry a long time ago too. :)

    http://www.happyassassin.net/2007/10/24/mistakes/

    ReplyDelete
  6. "The problem with this system you ask? There is namely one issue: Canonical does not review any of the packages that are uploaded to PPAs. Because of this adding software from various PPAs wily nilly in reality is more dangerous than installing software on Windows. I say this because not only are you giving root access to the software upon installation, but also every time you run a system update from then after."

    That's not just hot air yeah it's a serious concern.While we're at it,these days people are asking for core distro specific PPAs as well such as for straight Debian.I think that stringent QC responsibility lies both on software and distro sides for obvious reasons.That's up to them really.Users like me are baffled as to why there's lesser "official" team PPAs like Deluge and Chromium and more independents.

    "However, if you always need the latest up to date software maybe it is worth considering a rolling release distro such as LMDE or Chakra."

    Umm...I must have missed the memo?Tried LMDE last week.Tried MEPIS 11 Alpha 3 just 2 days ago and I'm still going to try a proper Debian Testing netinst soon from Mint's community tut for making an own LMDE.

    1 thing's for sure is that I don't see any updated CURRENT software save for GIMP when I did MEPIS?Can't deal with KDE got old rig.With LMDE I'd end up with broken packages before I even get to updates and some stuff like Firefox are slightly updated than MEPIS a bit but won't get updated to current 3.6.12 that much I'm sure since mintUpdate can't really work with testing atm?

    In short you get core packages' updated faster yes but not software AFAIK.

    ReplyDelete
  7. This issue is the same with upstream, you can't expect Canonical or Red hat to review every bit of code for potential risks. upstream does that by itself. So, how would you know if a certain project is true to it's values? you can't... we rely in the assumption that they won't risk their reputation for just a short sighted goal to compromise, surely that's not enough so one views the source code if they feel they need to.

    Launchpad's PPA works the same way too, try viewing the packager's profile, see their previous engagements and involvements on other projects and communities.

    the advantage of a build system, like Ubuntu's PPA is, Everything is transparent, you can view and inspect the source codes in which the binaries were exactly build on.

    ReplyDelete
  8. Well I do believe that there's risk no matter what system you run. What you're saying is definitely a concern and I don't think it is MORE dangerous than some of the places people download software for windows from.

    ReplyDelete
  9. Some PPA's like you say are maintained by private people and have less guarantees that the stuff is not dangerous or full of malware. However, a lot of PPA's are maintained by development teams of open-source projects, who read each others' commits and work for a common goal. I would trust these PPA's more. Examples: Pidgin Developers PPA, Dockbar-Main PPA, Elementary Art PPA, Spring RTS PPA.

    ReplyDelete
  10. Little point here. Ubuntu can make a PPA disappear if its reported as malware. Even block same item form reentering.

    So its not as bad as windows. Linux evolves with threats. I have no reason to think Ubuntu will not tighten there rights to have a PPA if threats appear.

    Now how can you tighten for direct download software for windows?

    Remember Linux is gaining real-time virus scanning really soon.

    ReplyDelete
  11. Ppas are the users personal choice to use. With choice comes responsibility. Linux is about empowering, sometimes that means empowering the careless.

    ReplyDelete
  12. Some PPAs are good and have been helpful in getting new software and or updates.

    Some PPAs have really helped to enhance the 10.04 desktop experience, without being on the 6 month update rollercoaster.

    Example:
    cairo-dock, compiz, dockbarx. nautilus elementary, equinox, gnomenu, openshot, etc...

    Still on the look out for a ppa for the maverick sound indicator/menu for lucid. LOL

    My major concern has to do is with the potential to break your system or applications, when newer dependencies for lib or dev packages are introduced via a ppa. I have had to do force downgrades a couple of times, and hopefully in the process you are not forced to remove major applications because of dependencies.

    Another major issue is when the packager abandons the PPA. I remember the korn ppa while testing out gnome shell. This was my wake up call, what a mess it was to get that stuff out, without having to re-install.

    Lately i scrutinize every package and it's dependencies before i set up and install from any ppa.
    It seems to work best, when focused on a single stand-alone type applications with a core set of dependencies. But, not with packages that depends on a package thar dpends on, say, ubuntu-desktop, or kubuntu-desktop etc

    Hope someone comes up with a solution for this, but i guess to have the latest apps, you have to deal with this, or build packages from source your self.

    ReplyDelete
  13. Jeff,

    I hear where you are coming from. However, by using Linux, you are already using the work of many authors. Any of the authors - from the kernel on up - can attempt to insert malicious code.

    The nature of open source software puts individual Linux users in a position of 1) trusting the sources, or 2) inspecting the code.

    Do you really trust Apple's or Microsoft's updates? Can you check the source to verify that there is no malicious code? How about Microsoft Genuine Advantage, Microsoft Alexa, iTunes DRM, Novell Moonlight, Sony's Rootkits, Kindle book recalls, etc.

    If you are advocating the notion that Ubuntu is somehow inherently safer than the PPAs (or gdebi for that matter), reread the Cathedral and the Bazaar. I would much rather watch my own back than to trust Canonical (or RedHat, etc.) to do so for me.

    To that end, I maintain BleedingEdge. BleedingEdge is a non-compiled (easy to read source) script written for those who wish to try out software that is not in the Ubuntu repositories. Sometimes the packages are just updated versions of what is already available. Other times, there is no installation candidate. Typically users gain functionality.

    http://sourceforge.net/projects/bleedingedge/

    After BleedingEdge installs the PPAs, it performs the dpkg installs, then removes the PPA entries from /etc/apt/sources.list.d/ This prevents update issues from occurring, but would also not commit Ubuntu to receiving updates from those PPAs.

    One thing that I have noticed is that many projects from the PPAs end up in the main repos. Personally, I think that the PPAs are good cookers for quality projects.

    That being said, running a server and running a desktop have different requirements. When you are running a server, be paranoid. Scan your own machine with Nessus or Nmap. Use Tripwire, Snort, and a Syslog server. Do whatever it takes to reduce downtime and prevent attacks.

    Either way, it's good form to run Top, PS, Netstat, Clam and Wireshark every so often, monitor your modem lights, and watch for a busy hard drive...Remember, trust and vigilance.

    Sincerely,

    Fedelep

    ReplyDelete
  14. Long before PPA's there were (and are) private Debian repos. There's nothing stopping you from creating your own Debian repo. There's nothing stopping you from using a private repo. It's done all the time. Does it serve a purpose? Sure, but the security is only as good as the security of the hosted server which is always an unknown. Who hosts the server? Is it updated? Who has access? All of this is out of your control. Every time you add a repo you take a chance.

    ReplyDelete
  15. This is FUD. You don't have to use PPAs and people who do use them are likely to know the risks and be able to deal with it. Newbies can barely use the Software Centre let alone add PPAs.

    Your suggestion to try Chakra or LMDE shows your real goal which is to draw users away from Ubuntu. I don't know why people insist on taking shots at Ubuntu. If you don't use it then don't complain about it.

    BTW, I am not an Ubuntu user.

    ReplyDelete
  16. LinuxCanuck, why the lie?

    "About Me

    I use Kubuntu mostly but routinely have half a dozen other distros installed at once. I am Microsoft free!"

    ReplyDelete
  17. Poke around the blog a little bit LinuxCanuck - I use mostly Ubuntu and recommend it to others.

    ReplyDelete
  18. Again, what I said above. Neither Linux or any other system in existence is totally secure but most of windows' vulnerabilities in whole or in part are the result of social engineering and user stupidity. That said, it's still WAY easy to hack into the system and install malware. Not so much for even a default install of Linux.

    ReplyDelete
  19. Congrats on your FUD article. It's being constantly retweeted by "Fedora Ambassadors" everywhere, so good job there.

    ReplyDelete
  20. There are other ways to share your software packages besides using PPA's and private Debian servers. One way is to use Dropbox to share your locally built packages with your friends and what not, you can even setup a Debian repo in Dropbox using reprepro.

    If you use Git at all and are not a mono hater, to each his or her own, you can use Sparkle Share. I think they give you like 10 GB for free but it is only for git repos although that may change.

    Still it is your responsibility to make sure the packages are safe. I would suggest installing VirtualBox and use it as a sandbox to test the software before you use it, but this is just my opinion on this. Take what you want and leave the rest.

    ReplyDelete