Are PPAs safe to add to my system and what are some "red flags" to watch out for?
I see a lot of interesting programs out there that can only be obtained by adding a "PPA" to the system but, if I'm understanding correctly, we should stay within the official "repositories" for adding software to our system.
Is there any way for a novice to know if a "PPA" is safe or if it should be avoided? What tips should the user know about when dealing with a PPA?.
PPA (Personal Package Archive) are used to include a specific software to your Ubuntu, Kubuntu or any other PPA compatible distro. The "safeness" of a PPA depends mostly on 3 things:
Who made the PPA - An official PPA from WINE or LibreOffice like ppa:libreoffice/ppa and a PPA that I created myself are not the same. You do not know me as a PPA maintainer, so the trust issue and safety is VERY low for me (Since I could have made a corrupted package, incompatible package or anything else bad), but for LibreOffice and the PPA they offer in their website, THAT gives a certain safety net to it. So depending on who made the PPA, how long he or she has been making and maintaining the PPA will influence a little bit on how safe the PPA is for you. PPA's as mentioned above in the comments are not certified by Canonical.
How many users have used the PPA - For example, I have a PPA from http://winehq.org in my personal PPA. Would you trust ME with 10 users that confirm using my PPA having 6 of them saying it sucks than to the one Scott Ritchie offers as ppa:ubuntu-wine/ppa in the official winehq website. It has thousands of users (including me) that use his PPA and trust his work. This is work that has several years behind it.
-
How updated the PPA is - Let us say you are using Ubuntu 10.04 or 10.10, and you want to use THAT special PPA. You find out that the last update to that PPA was 20 years ago.. O.o. The chances you have on using THAT PPA are null. Why?. Because the package dependencies that PPA needs are very old and maybe the updated ones change so much code that they wont work with the PPA and possibly break your system if you install any of the packages of that PPA to your system.
How updated a PPA influences the decision to use it if he/she wants to use THAT PPA. If not they would rather go look for another one more up to date. You do not want Banshee 0.1 or Wine 0.0.0.1 or OpenOffice 0.1 Beta Alpha Omega Thundercat Edition with the latest Ubuntu. What you want is a PPA that is updated to your current Ubuntu. Remember that a PPA mentions for what Ubuntu version is made for or multiple Ubuntu versions was made for.
As an example of this here is an image of the versions that are supported in the Wine PPA:
Here you can see that this PPA is supported since Dinosaurs.
One BAD thing about how updated a PPA is, if the PPA maintainer tends to push into the PPA the latest, greatest and cutting edge version of a specific package. The down side of this is that if you are going to test the latest of something, you ARE going to find some bugs. Try to stick with PPAs that are updated to a stable version and not a unstable, testing or dev version since it might/will contain bugs. The idea of having the latest is also to TEST and say what problems were found and solve them. An example of this are the daily Xorg PPAs and Daily Mozilla PPAs. You will get about 3 daily updates for X.org or Firefox if you get the dailies. This is because of the work the put in there and if you are using their daily PPAs it means you want to help with bug hunting or development and NOT for a production environment.
Basically stick with this 3 and you will be safe. Always look for the maker/maintainer of the PPA. Always see if many users have used it and always see how updated the PPA is. Places like OMGUbuntu, Phoronix, Slashdot, The H, WebUp8 and even here in AskUbuntu are good sources to find many users and articles talking about and recommending some PPAs that they have tested.
Stable PPA Examples - LibreOffice, OpenOffice, Banshee, Wine, Kubuntu, Ubuntu, Xubuntu, PlayDeb, GetDeb, VLC are good and safe PPAs from MY experience.
Semi Stable PPA - X-Swat PPA is a in the middle PPA between bleeding edge and stable.
Bleeding Edge PPA - Xorg-Edgers is a bleeding edge PPA although I should mention that after 12.04, this PPA has become more and more stable. I would still mark it as bleeding edge but it is stable enough for end users.
Selectable PPA - Handbrake offers here a way for the user to choose, do you want a stable version or do you want the bleeding edge (Also referred to as Snapshot) version. In this case you can select what you want to use.
Note that in the case of using for example the X-Swat ppa with the Xorg-Edgers PPA, you will get a mixed between the two (With priority towards Xorg-Edgers). This is because both are trying to include almost the same packages, so they will overwrite each other and only the most updated one will show in your repositories (Except if you manually tell it to grab the package from X-Swat).
Some PPAs might update some of your packages when you add them to your repository because they will overwrite with their own version a certain package to make the PPA software work on your system correctly. This might be some code packages, python versions, etc.. Other like the LibreOffice PPA will remove all existence of the OpenOffice from your system to install the LibreOffice packages there. Basically read what other users have commented about a specific package and also read if the package is compatible with your Ubuntu version.
As the comment below suggest by Jeremy Bicha, some bleeding edge (PPAs that stay very up to date including adding Alpha, Beta or RC quality software in the PPA) could potentially damage your whole system (In the worst case). Jeremy mentions an example of many.
To develop PPA's on launchpad, the contributor must have signed the ubuntu code of conduct. This signifies the the developer must abide to a minimum set of standards.
Usually people should then consult the ubuntuforums to see who has used particular ppa's and if they could cause any issues.
For a "novice" or "noob" - my best advice is to steer clear of PPA's until you feel confident that you understand a few things about the command line, potential error messages and a few things how to diagnose issues.
To remove ppa's causing issues, you can most of the time use "ppa_purge"
If you are feeling nervous, then consider an image backup of your computer with a tool like clonezilla. That way, if things go wrong and you cant resolve it, at least you have a quick means to restore your computer back to the way it was before you started playing.
Having said all that, ppa's are extremely useful to get the latest versions of software - especially for those that dont try to upgrade every 6 months and stick with the LTS version of ubuntu.
All the concerns listed by others here are extremely important to understand. That said, since this is open source, we can tell exactly what the PPA has changed from the version of the package in Ubuntu. We'll use the PPA from this duplicate as an example.
First we'll grab the source from the PPA dget
a tool that will download all the pieces of a Debian source package given a link to the dsc
file:
dget -u https://launchpad.net/~anton0/+archive/unity/+files/unity_5.12-0ubuntu2~ppa1.dsc
I found that link by clicking "View package details":
And then:
Next, we'll get the source of the package in the Ubuntu archive:
apt-get source unity
Finally, we'll use debdiff
to see the differences between the source of the two packages:
debdiff unity_5.12-0ubuntu1.1.dsc unity_5.12-0ubuntu2~ppa1.dsc
The output of that command is about three hundred lines long, so I'll put it on a pastebin instead of directly into the window. Now, I can't vouch for how good the code is since I don't really know C++, but it seems to be doing what it claims and not anything malicious.
It isn't just a matter of malware, as has already been said. It is also that some of the software might really still be in the testing stage and not ready for production use. If you install it and rely upon it to get work done, you might find that it is buggy, unreliable, and can crash - leaving you without the work you have done.
Some of it might also not get along well with other aspects of Ubuntu, such as Unity or Gnome, causing problems that are difficult to trace, and perhaps even making your system unstable.
This is not because the software is bad, but because it has perhaps not yet been fully tested, or because it was made available so that people could test it, but not yet intended to be generally released as production software. So you should use caution, although some of it is really quite good.
A number of months ago I installed a recommended package from a particular PPA, and it trashed my system enough that I had to reinstall Ubuntu. I was a new user and didn't know what else to do; with a bit more knowledge I might have been able to solve the problem and restore it without doing a reinstall (although that, too, was useful to me in learning Ubuntu, but if I had worked saved on my machine I would have lost it).
So be careful, ask questions, make frequent backups (!!!), and know that malware is unlikely (though not impossible).
A PPA is a web folder that contains software you can install. It really isn't much more complicated than that. When you install a package, you do that with root privileges and the package has scripts that are run, so they are run as root. That means installing any software is dangerous and you do need to trust the developer or distributor.
An apt archive, PPA or otherwise, is polled regularly for updates to software you have installed. The "problem" with that, is that anyone can provide a newer package of software you have installed. For instance, you can add a PPA in order to get a nice theme and automatic updates of that theme. But once you have added that repository, the owner can add a patched openssh-server package, for instance, and it will appear as an update in Ubuntu. This can be done a year after you added the PPA, so you need to pay attention to updates.
The PPA system does prevent third-parties from tampering with the packages, however, so if you do trust the developer/distributor, then PPAs are very safe. For instance, if you install Google Chrome, then they add a PPA so that you'll receive automatic updates for it. They add "deb http://dl.google.com/linux/chrome/deb/ stable main". If the DNS server you use was hacked to point dl.google.com somewhere else, then they could push patched software onto everyone who had installed Chrome. But Ubuntu would refuse to install them since they could not be signed with Googles private key. So in that regard, PPAs are very secure.
It is not possible to say that a PPA is safe or not. It depends on the people who use it to distribute software. With free software, people can look at the source and see if it is safe or not. When lots of people use an archive, like Ubuntu regular archives, then you have peer review. Small archives with few users don't have that, so they are less trustworthy. The main lesson is that no matter what system you use, you should take care when installing software.