Is UbuntuUpdates.org a trustworthy source for downloads

Question

I was unable to install CryptoTE on 16.04 by following the instructions on the developer's website which seem to have been updated as far as Ubuntu 12.04. I want to note that the instructions for Ubuntu 12.04 work fine for Ubuntu 14.04 but not 16.04.

The problem is described here: and specifically it involves missing libwxbase2.8-0 and libwxgtk2.8-0. After I installed those two packages CryptoTE seems to be installed because I can find it in the Dash. However, when I run CryptoTE it crashes. When I invoke it the behavior is simply a busy cursor followed by the disappearance of the busy cursor.

The question: Searching for a solution I came across the UbuntuUpdates.org URI and a download specifically for Wily (Ubuntu 15.10). I am not familiar with that URI. Is that URI known to be a safe place to get Ubuntu software?

Link to UbuntuUpdates.org page for CryptoTE on Wily (Ubuntu 15.10).

Answer 1

I can't vouch for the quality or security of UbuntuUpdates.org itself, though it's been around for a while and is somewhat widely used.

However, as far as the .deb package download links at least on that page you linked to go -- I am talking about the "32-bit deb package" and "64-bit deb package" links -- as muru says those are links to content at http://security.ubuntu.com/ubuntu/, which is an official Ubuntu software source.

So you should be fine, at least with what you're doing right now.

---

With all that said, if the machine you're installing software on has an Internet connection, that makes it easy to automatically retrieve and install whatever packages you need. You can use apt/apt-get, aptitude, the Software Center, Synaptic, or whatever other such utility you like.

I only checked that one page on UbuntuUpdates.org, so I cannot be sure it only links to packages in official Ubuntu software sources. I suspect it does. If it does--or for any package in an official Ubuntu software source--installing from your Ubuntu system with a package management tool should work just fine. If it doesn't, and you get no obvious error message other than that no such package was found, then I recommend you examine two possibilities:

• Is the necessary repository component enabled? See also the "Components" section of the "Repositories" article and, for example, How do I enable the “Universe” repository? (especially this answer).
• Is the Ubuntu release you're using still supported? The software sources for end-of-life Ubuntu releases are (eventually) moved to the old-releases server. See How to install software or upgrade from an old unsupported release?, and also Releases for information on what stage each release is in. If you are using an old, unsupported release of Ubuntu, I strongly urge you to upgrade, because those releases no longer receive fixes for newly discovered security vulnerabilities; it is risky to use them.

Answer 2

A trustworthy download source? No, because there is no such thing.

The trust model of Ubuntus package manager apt is GPG-based.

• No trust is derived from where the file was downloaded (e.g.: which download mirror)
• No trust is derived from whether the transport method was secure (e.g.: https)

Consequently, the answer to any question like "Do i trust this site to provide unaltered packages?" is "I shall not depend on that anyway."

Keep your /etc/apt/sources.list with the entries matching for your release, adding different releases/backports repositories only when absolutely necessary and knowing the consequences, and let apt (or your graphical interface of choice) figure out which downloads are properly signed by Canonical.

Answer 3

I don't know about the authenticity of UbuntuUpdates, but the download link is actually from Ubuntu's servers: http://security.ubuntu.com/ubuntu/pool/universe/c/cryptote/cryptote_0.5.390-0ubuntu3_amd64.deb for 64-bit, for example. You could have got the same link by searching http://packages.ubuntu.com.