Can I trust a repo I am unfamiliar with to provide me a secure PHP 8.0 package?

Solution 1:

It is safe to install php from ondrej/php ppa.

WHO AM I?

I am a Debian Developer since year 2000, and I have been packaging PHP for Debian since PHP 5. That means the official packages in Debian and Ubuntu are either my work or they are based on my work. The PHP packages in my Ubuntu PPA and Debian DPA matches the official packages in Debian. Basically I am saying that you can’t get any closer than that.

Askubuntu : @oerdnj

I am a Director of DNS Engineering at ISC, Debian Developer since 2000, Ubuntu Member since 2005, founding member of Ubuntu Česká Republika since 2004.

I (co-)maintain Apache2, PHP, MariaDB, Cyrus SASL, Cyrus IMAP, Berkeley DB and all things DNS in Debian and also have semi-official PPAs for those packages (PHP). I have been member of Debian GNOME GTK+ packaging team. (In other words I've seen things you people wouldn't believe. :-))

I am author of two apache modules (mod-vhost-ldap and mod-log-spread2) and I am co-author of Knot DNS, a fast authoritative-only DNS server, and now I work on BIND, the most used DNS server on the Internet.

I have expertise in routing, DNS, DNSSEC, Debian packaging and much more to list here :).

The developer is preparing a newcomer package debsuryorg-archive-keyring to automatically update the PGP key.

The apt-key list should print:

pub   rsa1024 2009-01-26 [SC]
      14AA 40EC 0831 7567 56D7  F66C 4F4E A0AA E526 7A6C
uid           [ unknown] Launchpad PPA for Ondřej Surý

twitter: Ondřej Surý

github: Ondřej Surý

Installation instructions:

sudo apt install software-properties-common
sudo add-apt-repository ppa:ondrej/php
sudo apt update
sudo apt install php8.0

Solution 2:

For the sake of completeness, I'll expand my comment into an answer and let you decide.

A PPA is a Personal Package Archive. Someone has taken source code from another source and packaged it so that Ubuntu users can install them easily.

Your question of "trust" comes down to what are you worried about? The fact is, any one can create an a PPA and have create a glowing homepage that looks perfect. One thing to keep in mind is that whoever makes a PPA is usually a volunteer, much like those of us who read AskUbuntu. So, there are no guarantees. In fact, the one you mentioned is described in these installation instructions, which then refer to this PPA. At this PPA, they have honestly said:

Disclaimer: there's no guarantee of timely updates in case of security 
problems or other issues. If you want to use them in a security-or-
otherwise-critical environment (say, on a production server), you do 
so at your own risk.

Does something like this pass or fail your definition of trust? It seems everyone will have different definitions of trust. In fact, what if I said "yes, you can trust that PPA!" -- but for what reason should you trust me?

My rule of thumb whether it is an Ubuntu PPA or some installation executable for Microsoft Windows is if I am concerned, I shouldn't download it. In your case, your current version of PHP should be sufficient and I wonder if you "need" features in PHP-8 or do you just want the latest version for no reason?

If you still need PHP-8, then you can just download it and install it yourself. This is the site where PHP resides. Installation instructions for this source is available here. This is the most trustworthy as you can get...