Deb Repository & PPA Package Whitelisting Security

Question

Is it possible, maybe via pinning or other, to restrict which packages a repository can upgrade on a whitelist basis?

Example:

If I add the docker repo to apt:

deb [arch=amd64] https://download.docker.com/linux/ubuntu bionic stable

and I want to specify that the docker repo can only install or upgrade the list of packages I specify:

docker-ce
docker-ce-cli

(Same for PPA repos of course). So now the docker repo cannot replace other software or trick me.

How can she do this whitelisting of packages per-repo security?

Ubuntu 18.04

Benji over_9000 'benchonaut' · Accepted Answer · 2020-06-07T22:55:49.260

If you want to apt-mark hold for all current installed packages:

run dpkg --get-selections|grep -v deinstall |cut -f1|sed 's/$/ hold/g'| dpkg --set-selections

You can also set apt priorities. 0 is what you want. Wireguard should give you a good example:

sudo sh -c "printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' >> /etc/apt/preferences.d/limit-unstable"

Docker example:

$ cat /etc/apt/preferences.d/docker
Package: docker-ce
Pin: origin download.docker.com
Pin-Priority: 1001

1 Answers1