0

Main Question:

At which point can I trust external, unofficial repos? Are there security implications for blindingly adding third party repos to a workstation? However, I've been very suspect of including non-offical repos.

Background and my particular case:

I'd like to install a Juce. From what I understand, this is a stand alone utility to host VST (virtual instruments used in music production). I've found what appears to be it's source on github and have tried to compile that in a throw away VM. However, after receiving an errors on install (to which I may open a ticket here or on github later), I was curious to see if anyone had packaged it for Ubuntu.

Rick
  • 2,817
  • 7
  • 25
  • 35
  • 1
    This particular package is apparently being added to [xenials applicaitons](http://packages.ubuntu.com/search?suite=xenial&searchon=names&keywords=juce). I am assuming the launchpad versions for earlier releases are OK. – Charles Green Mar 10 '16 at 17:09
  • 1
    Xenial is the codename for Ubuntu 16.04, out in April. – Oli Mar 10 '16 at 17:21
  • So this may be a non-issue in a month then? – Rick Mar 10 '16 at 17:22

1 Answers1

1

There are a few problems:

  • Any repo can overwrite any package by default. You can pin a repo to only allow certain packages but that doesn't help against this because...
  • Those packages can write files anywhere. They'd have to not overwrite any existing files but there are plenty of places you could hide a malicious file, which isn't to mention...
  • Packages can run anything as root on install and removal.

So yes, if you can't trust the controller of a repository (or trust that they're vetting the code that's going into the repo), you shouldn't be using that repo. A malicious package is game over.

Community
  • 1
Oli
  • 289,791
  • 117
  • 680
  • 835
  • As I thought. I generally *do not* add 3rd party repos, but for the particular situation, since Juce should be in 16.04, I should just wait a month. Upvote and many thanks. – Rick Mar 10 '16 at 17:24