1

I needed to install Gemalto PKCS11 Library. As a result of my searching, I added following PPA to my software sources: https://launchpad.net/~arnaud-morin/+archive/ubuntu/gemalto Then I installed software package from it: sudo apt-get install libgtop11dotnet*

However after reading following question I realized that I should probably not do that, because I don't know the author and the number of PPA users is quite limited: Are PPAs safe to add to my system and what are some "red flags" to watch out for?

According to the note on Launchpad, mentioned repository could be considered as untrusted:

You can update your system with unsupported packages from this untrusted PPA

Thus I am afraid that I open some vulnerability on my system. Is it enough to just remove the untrusted PPA and sudo apt-get purge installed package? Will I be safe again or should I completely reinstall my system to be 100% sure that I am safe, that nobody will access my data?

matandked
  • 1,129
  • It depends on the package name and PPA owner. What package do you have installed from PPA? Which PPA do you use? – N0rbert Dec 23 '18 at 16:33
  • I suppose it also depends on who volunteers to maintain the ppa in the future as well. A trustworthy provider today may not be in the future. –  Dec 23 '18 at 16:53
  • It's simply a matter of trust. Whether the package comes from a PPA or not is irrelevant. Debian packages require root access, which means the developer of any package automatically has root access to your system, via the dpkg packaging system. Generally, the primary archives of Ubuntu/Debian are trustworthy, but it doesn't mean abuses or mistakes won't occur. Likewise, a .deb you install from anywhere else is something you need to trust, because you are granting root access to it, when you install it. Your additional questions, are unanswerable w/o direct examination of the packages. – dobey Dec 23 '18 at 17:07
  • If you wish to properly remove a ppa you leave it enabled in your software sources. Then install ppa-purge and use it to remove the ppa plus downgrade any Ubuntu repo packages that were upgraded, if any. The ppa-purge command is the same as the add-apt-repository command you used, just replace sudo add-apt-repository with sudo ppa-purge. As far as ppa's I've never seen any evidence of a malicious ppa.. – doug Dec 23 '18 at 17:44
  • @matandked please answer two questions: what is the PPA name and package name? – N0rbert Dec 23 '18 at 19:40
  • This is not my question, I am asking how to secure myself after installing package from untrusted source I cannot understand why you mark my question as duplicate. Here I asked what to do if I added unsecure PPA and the question that you linked is whether it is safe to add PPA. – matandked Dec 24 '18 at 12:53
  • @matandked please be more specific. Which PPA do you have added? Which package have you installed? What do you mean by "untrusted PPA"? Untrusted by whom? Do you have problems with its GPG signing or something similar? Please edit your question and add all necessary information into it with exact error messages (so write it without mysterious philosophical sentences). – N0rbert Dec 24 '18 at 13:12
  • My idea was to ask some general question. However, according to your and https://askubuntu.com/users/50737/dobey https://askubuntu.com/users/94914/karel request, I edited my question to make it more specific. – matandked Dec 29 '18 at 10:31

0 Answers0