Deb Repository & PPA Package Whitelisting Security

Question

Is it possible, maybe via pinning or other, to restrict which packages a repository can upgrade on a whitelist basis?

Example:

If I add the docker repo to apt:

deb [arch=amd64] https://download.docker.com/linux/ubuntu bionic stable

and I want to specify that the docker repo can only install or upgrade the list of packages I specify:

docker-ce
docker-ce-cli

(Same for PPA repos of course). So now the docker repo cannot replace other software or trick me.

How can she do this whitelisting of packages per-repo security?

Ubuntu 18.04

Sounds very paranoidal. Did you tried to visit the repository using web-browser? They offer only three Docker related packages as containerd.io, docker-ce-cli and docker-ce. So your system will get only these packages. Moreover the containerd.io is not provided from official repositories. So your idea is unnecessary and useless. — N0rbert, Jun 07 '20 at 08:28

Benji over_9000 'benchonaut' · Accepted Answer · 2020-06-07T22:55:49.260

1

If you want to apt-mark hold for all current installed packages:

run dpkg --get-selections|grep -v deinstall |cut -f1|sed 's/$/ hold/g'| dpkg --set-selections

You can also set apt priorities. 0 is what you want. Wireguard should give you a good example:

sudo sh -c "printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' >> /etc/apt/preferences.d/limit-unstable"

Docker example:

$ cat /etc/apt/preferences.d/docker
Package: docker-ce
Pin: origin download.docker.com
Pin-Priority: 1001

edited Jun 07 '20 at 22:55

answered Jun 06 '20 at 22:47

1

Oh, I see now that you are right. This is a good example: https://www.claudiokuenzler.com/blog/440/higher-preference-priority-apt-repository-over-another – xendi Jun 06 '20 at 22:59
would you be so kind and upvote & accept my answer then ? @xendi – Benji over_9000 'benchonaut' Jun 06 '20 at 23:38
1

yeah, I will. I was just researching anything I might want to add first because using Pin-Priority is a roundabout way of doing it. Unfortunately, I think it's the only way. Rather than whitelisting what a repo can only update, you're saying "The packages in this repo should come from this repo." What I wanted was "This repo can only upgrade the packages it has now, not packages it might add in the future." The way it actually is seems more complicated since you have to use this whole ranking system. Maybe I'll code a security tool for APT to make it easier to manage. Thanks. – xendi Jun 07 '20 at 19:14
1

( it is possible with dpkg --get-selections|grep -v deinstall |cut -f1|sed 's/$/ hold/g'| dpkg --set-selections , answer updated.. regards ) – Benji over_9000 'benchonaut' Jun 07 '20 at 22:57

1 Answers1