Question

6

Has there been any malicious PPA so far?

rated 0 times [ 6] [ 0] / answers: 1 / hits: 1139 / 1 Year ago, sun, february 12, 2023, 6:37:22

People often discourage users from using PPAs because the PPA may potentially contain libraries and packages which may break the system.
I have been using PPAs since 2010, and never encountered a problem (of course, I check whether a PPA hosts any suspicious packages before adding it).

Usually developers make PPAs to help others install a software, not to break their systems. Also, the packages need to be digitally signed, and this way, the person who packaged something fishy can be traced back.

I am wondering whether "PPAs are harmful" is a common problem faced by many, or it is a popular belief which people spread (without much evidence).

I want to ask about some facts (so that the question does not become "opinion based").

Has there been any malicious PPA so far? By malicious, I mean something which is intentionally packaged to create a dependency hell, or something that will mess up with the home or / directory with the postinstall script, or something that broke the installation.

(Since the question was closed due to being opinion based, I am looking for examples of such harmful PPAs, so that it can be answered with facts).

Is there any way a user can report a potentially harmful PPA in Launchpad?

By PPA, I am referring to a PPA hosted in Launchpad, not any third party repository hosted in any website.

Answers

Only authorized users can answer the question. Please sign in first, or register a free account.

otputler

Add To Favorites

Follow

Total Points: 53

Total Questions: 105

Total Answers: 93

Location: Zimbabwe

Member since Wed, Nov 9, 2022

2 Years ago

otputler questions

1 stuck in dependencies loop - ubuntu 22.04

Tue, Aug 23, 22, 14:36, 2 Years ago

1 Kernel hang on resume from suspend on Ubuntu 22.04

Fri, Jul 23, 21, 11:57, 3 Years ago

1 How to solve "Pending update of "firefox" snap. Close the app to avoid disruptions" error?

Sun, Aug 15, 21, 21:50, 3 Years ago

1 Conflicts between Ubuntu 20.04 packages and Debian 11 packages

Mon, May 24, 21, 08:10, 3 Years ago

1 What is the Minimum Setup Needed for Setting-up XDG Directories ($XDG_RUNTIME_DIR etc.)?

Sun, Sep 18, 22, 01:50, 2 Years ago

View All

answered 1 Year ago assionortly · Accepted Answer

This is one of the main reasons Ubuntu is turning to snap based installations: a PPA has root access to our system so when it comes to PPAs trust is high. The only safe repositories are the official ones and their mirrors.

A PPA can include packages that replace existing packages. Not really an issue if you want the newest chromium to replace and old chromium. But it is when it replaces python, or ruby, or perl or a library like libc.

Has there been any malicious PPA so far in Launchpad?

No. There is a process to get a PPA accepted on Launchpad but on Launchpad the owner of the PPA is also public so probably not a good idea to try and slip a PPA with malicious code.

Mind that malware writes probably want to earn some easy cash and doing it through a PPA to target Linux users will require to create a new piece of software that is good enough to install. That takes weeks or even years to get done. Seems easier to target Windows users (easier to reach, and there are still many more of them).

Is there any way a user can report a potentially malicious PPA?

As with all things Launchpad related: you file a bug report against it.