1

I sparingly add PPAs for things like resilio-sync, and more up-to-date versions of key software.

I'm worried that if I do an large upgrade, any one of those PPAs might provide a version of something I don't want it to. Maybe it's a compromised system library, or maybe it just isn't a desirable source for a particular piece of software.

Is there a way to lock down a PPA to only provide certain packages?

(This is not a duplicate of this one as that question is about excluding specific packages from a PPA... I want to only allow specific packages).

Community
  • 1
Greg Bell
  • 535

1 Answers1

2

From a security point of view we should not use any PPA at all. There is no guarantee that a maintainer of a personal package archive will not upload unwanted software at any time in the future. Anybody can become such a maintainer. Also see "What are PPAs and how do I use them?" for more on PPAs.

Nevertheless it appears to be unlikely that a maintainer we trust goes rogue in the future to all of a sudden post malware without anybody else noticing and stopping them. Still, we do not know for sure, and there is no security team watching over any PPA.

Therefore it is good practise to only add a PPA from a source we trust. After only installing a single desired package and its dependencies we should remove the PPA again to avoid unwanted upgrades of this or other packages that are or will also be maintained in this archive.

So from a trusted PPA we may proceed as follows without much risk:

sudo apt-add-repository ppa:<user>/<ppa-name>
sudo apt-get update
sudo apt-get install <package_from_ppa>
sudo apt-add-repository --remove ppa:<user>/<ppa-name>
sudo apt-get update
Community
  • 1
Takkat
  • 144,580