Sabtu, 27 November 2010

Ubuntu PPA Problem - Reason for Concern?

With the release of Ubuntu 9.10 late last year Canonical introduced PPAs, which is short for Personal Package Archives. A PPA allows anyone that has signed the Ubuntu Code of Conduct to easily distribute software they have packaged to Ubuntu users. This revolutionary idea allows those who do not have the capability to establish their own repository to easily provide package updates to their users. Want the latest version of Openshot or PiTiVi? Then simply add a PPA to your system that packages up to date versions of these softwares and you will be set to go!

The problem with this system you ask? There is namely one issue: Canonical does not review any of the packages that are uploaded to PPAs. Because of this adding software from various PPAs wily nilly in reality is more dangerous than installing software on Windows. I say this because not only are you giving root access to the software upon installation, but also every time you run a system update from then after. Meaning even if a PPA provides trusted packages at first, this could change later on.

While it has not happened yet (as far as I am aware), I feel it is only a matter of time before some form of malicious code makes its way into a PPA that is used large scale. If you are comfortable with having software installed on your system from many different sources - that is your own choice (one of the many great things about FOSS). However, if you always need the latest up to date software maybe it is worth considering a rolling release distro such as LMDE or Chakra.

What is your take on this? Am I just blowing hot air and worrying for nothing or could having piles of PPAs on your system cause a potential risk down the line?

~Jeff Hoogland

Tidak ada komentar:

Posting Komentar