Which Ubuntu repositories are totally safe and free from malware?
Solution 1:
All of the official Ubuntu repositories (encompassing anything that you can find on archive.ubuntu.com
or its mirrors, as well as some others) are entirely curated. This means main
, restricted
, universe
, multiverse
, as well as -updates
and -security
. All packages in there have either come from Debian (and so have been uploaded by a Debian Developer) or have been uploaded by an Ubuntu developer; in both cases the package that is uploaded is authenticated by the gpg signature of the uploader.
You can therefore trust that every package in the official archives has been uploaded by either a Debian or Ubuntu developer. Furthermore, the packages you download can be verified by the gpg signatures on the files in the repository, so you can trust that each package you download has been built on the Ubuntu build farm from the source that was uploaded by an Ubuntu or Debian developer¹.
This makes outright malware unlikely - someone in a position of trust would need to upload it, and the upload would be easily tracable to them.
This leaves the question of more surreptitious nefariousness. Upstream developers could put backdoors into otherwise useful software and these could make it into the archive - in universe
or multiverse
, depending on the license. People do run security audits of the Debian archive, so if this software became popular it's likely that the backdoor would be discovered.
Packages in main
have some extra checking and get more love from the Ubuntu security team.
PPAs have almost none of this. The guarantee you get from a PPA is that the packages you download were built on the Ubuntu build infrastructure, and were uploaded by someone with access to one of the GPG keys of the Launchpad account of the listed uploader. There's no guarantee that the uploader is who they say they are - anyone could make a “Google Chrome PPA”. You need to determine trust in some other way for PPAs.
¹: This chain of trust could be broken by an extensive intrusion into the Ubuntu infrastructure, but that's true of any system. The compromise of a developer's gpg key would also allow a black-hat to upload packages to the archive, but since the archive emails the uploader of each package this should be noticed quickly.
Solution 2:
All the packages in Ubuntu Repositories before being uploaded are checked and reviewed by MOTUs (Masters of the Universe). MOTUs are the brave souls who keep the Universe and Multiverse components of Ubuntu in shape. They are community members who spend their time adding, maintaining and supporting as much as possible the software found in Universe. Therefore there are no chances of these packages breaking into your computer and stealing your data. However these packages might have security bugs which are flaws found in the software. Also some security-comprising software are available in Ubuntu (for example key loggers) but these packages won't steal your data (unless somebody intentionally installed it on your computer).
Hope this helps. See the Ubuntu wiki page MOTU for more information.
Solution 3:
Staying with the Main and Universe repositories is very safe, and so are PPAs if they're especially popular (most of the time), or you know that they're going to be safe (like the Google Chrome PPA. I doubt Google would put any type of malware in it.) If you use Main, Universe, and your Google Chrome PPA, you'll be safe.
If Ubuntu gains a ton of users, then yes, there will probably be more malware. I don't think there'd be enough to be a real problem though.