How do I investigate/confirm the identity of a PPA maintainer (e.g., Chromium Team)?
The Chromium Stable PPA (as found here: ppa:chromium-daily/stable) is maintained by Chromium Team (https://launchpad.net/~chromium-team). I assume this is "Google's" Chromium developers? If so, I would assume this PPA is very safe and trustworthy.
But is there a specific procedure or method of investigation that I should/can do to confirm the identity of the maintainer? As I understand it (or at least have read), anyone can create a "Chromium Team" PPA. For safety and security, I'd like to learn how to confirm the identity of PPA maintainers, especially "big name" maintainers like Google or Mozilla.
The "Chromium Team" in Launchpad are Ubuntu developers, not Google developers (except for one, who works on Chromium at Google). You can see this by looking at the team's membership:
- https://launchpad.net/~chromium-team/+members#active
The way you would determine if upstream maintainers are active in a team is to see if you recognize names (or email addresses). For the large projects like Mozilla and Chrome where Ubuntu developers work with their respective upstream generally speaking I trust them.
For example the team that runs the Firefox PPA is the same team that maintains Firefox in the distribution, and the team that maintains the Chromium PPA is also the same team that maintains Chromium in the distro.
There's really no way to determine how "trustworthy" a PPA is on a glace (Which is why most people will usually recommend not trusting them by default). Currently there is no real way for you to know just how "official" a PPA is unless it's explicitly mentioned by an upstream as trustworthy (see how XBMC recommends a PPA in that link) or you recognize the people in a team. In Open Source since everything is done in the open trust is something that is earned by people based on behavior. For example I trust someone who works at Mozilla to write my browser and I trust someone who is an Ubuntu developer to package it properly since both organizations have a model of peer review.
Individual PPAs are another matter, there's no guarantee that they won't break anything, but that doesn't mean every one is automatically bad. Chris talks about this a bit about PPA security in this answer:
- Which Ubuntu repositories are totally safe and free from malware?