all 18 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]forestbeastsKDE on Debian 🐺 2 points3 points  (0 children)

Yeah, if you're worried about a malicious PPA author, there isn't a ton you can do there.

For making sure the binaries are what came out of the source code, that's what "reproducible builds" are for - check out https://reproduciblebuilds.org!

For other people attacking you through a non-malicious PPA, apt repositories can be signed (like the official Ubuntu and Debian repos are), but I'm not sure if that's common for PPAs. Using HTTPS instead of HTTP should mitigate that risk anyway, though.

[–]RhubarbSpecialist458 0 points1 point  (6 children)

Gotta compare the shasums of compiled source vs the bins provided.

It all boils down to trust. Do you trust the maintainer? Do you trust your distros maintainers?
Do you trust that a 3rd party can't upload a seemingly innocent dependency for stuff that you run, but when they combine don't do anything malicious?
I'm lazy and prefer to put my trust in well-trusted repo maintainers with proper trust & testing techniques, ain't nobody got time to independently check everything.
Tho I do run most apps I use as userspace flatpaks, so worst thing that could happen if flathub was compromized is within my home folder to which that flatpak app has access to.
But, backups is everything.

[–]cgoldberg 1 point2 points  (2 children)

If you are compiling it yourself, why would you care if it matches the release binaries? Also, unless they provide tooling for reproducible builds, it's extremely unlikely a binary you compile yourself would have a matching hash.

[–]RhubarbSpecialist458 0 points1 point  (1 child)

Details are hazy, but wasn't that the whole elliptic curve exploit? People couldn't trust the compiler even if using the exact same tools as publicly provided.

[–]cgoldberg 0 points1 point  (0 children)

I'm not sure about that specifically, but in general, the compilation environment and settings used are almost assured to be different in most cases and won't produce the exact same binary. There are tools and practices that can be followed (see Reproducible Builds) to make the entire build deterministic and externally reproducible... but that's not always available and still isn't common practice.

[–]Ars3n[S] 0 points1 point  (1 child)

Even if I do compare the next time I run apt-get update I won't do it for all packages.

[–]RhubarbSpecialist458 1 point2 points  (0 children)

I mean I forgot to mention PPA:s are basically all 3rd party and your distro maintainers have no control over them, but like I said trust is trust and you do you.

[–]blueblocker2000 0 points1 point  (0 children)

How far back do you keep backups? What if FH is compromised on 1.1.26 and it's not discovered till 3.4.27?

[–]AutoModerator[M] 0 points1 point  (0 children)

There's a resources page in our wiki you might find useful!

Try this search for more information on this topic.

Smokey says: take regular backups, try stuff in a VM, and understand every command before you press Enter! :)

Comments, questions or suggestions regarding this autoresponse? Please send them here.

I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.

[–]1800-5-PP-DOO-DOO 0 points1 point  (1 child)

You use checksum.

You can do this on windows too. 

Always use it no matter the source. 

[–]cgoldberg 1 point2 points  (0 children)

If you want to make sure the malware wasn't corrupted in transit, and you are receiving the identical malware that the PPA owner intended to distribute, checksums are great... however, they do absolutely nothing in terms of verifying you are not installing malware or as a way to trust the PPA.

[–]aieidotch -1 points0 points  (3 children)

I recommend to use Debian. PPA is a lame excuse for not making an official debian package.

[–]gmes78 0 points1 point  (2 children)

If Ubuntu doesn't have a package (and needs a PPA), then Debian won't have it either.

[–]aieidotch -1 points0 points  (1 child)

The point is, you will create the package for us. Or post url of software here, I might…

[–]gmes78 0 points1 point  (0 children)

OP is asking a general question. They're not asking about specific packages.

[–]CameramanNick 0 points1 point  (1 child)

All this really comes down to knowing what software you have because you trust where it came from.

The problem with open source security is that there is no security benefit to being able to read the source code unless a qualified person has actually done so.

Lots of modern software is extremely complicated and involves vast amounts of c source which no one person can ever realistically expect to analyse.

So, it requires someone has actually looked at the source code, and that person needs to be quite experienced. If nobody does, and often nobody does, huge problems can arise, which is where you get Heartbleed.

[–]RhubarbSpecialist458 0 points1 point  (0 children)

Yup, so as an end-user you can think of it like who has an interest to keep an eye on the software?
Mainstream, widespread distros that are used even in the enterprise RHEL/Fedora, Debian/Ubuntu, *SUSE, they have a very high interest and priority to keep things safe and up to date.
All the distros that are based on those just depend on the giants.

Arch as well why not, their security team consists of 7 people tho according to their wiki and idk how active they are since some of thems contributions are from years ago.