-2

git-lfs docs only suggest to use packagecloud, but there's a base apt package now, as referenced by https://askubuntu.com/a/1418540/431220.

The question is: how can I as a consumer know if this apt package is safe to use, instead of relying on the packagecloud solution, which is frankly (to me) 10x worse, since I do not want to be dealing with manual package management.

allidoiswin
  • 119
  • 2
    The question is not answerable unless you define what makes something "safe" for you. What will it take for any package to be safe? – muru Jul 09 '23 at 03:05

2 Answers2

2

The packaging system has a lot of transparency so you can learn how to check these little details for yourself.

Working backwards:

Each package in the Ubuntu repositories is cryptographically signed, and that signature is routinely checked by apt to prevent man-in-the-middle attacks.

The package in the Ubuntu repositories comes from an upstream Debian source package. (See apt show git-lfs)

The Debian package is maintained by a team, and has been uploaded by the same person for years. (See https://tracker.debian.org/pkg/git-lfs)

So it's really a question of whether you trust that one volunteer who has been (thanklessly) maintaining that same package for many years. It's the same question you had before: Did you trust the developers of the software?

To go truly deep, you can audit the code at any step from the developers to Debian to Ubuntu (it's open source). How deep you want to go is up to you. The transparency in both code and process is there.

user535733
  • 62,253
1

Did you look?

Your question to me is somewhat clear; and you didn't provide a release (thus I've used my own), but looking at the package details can provide some level of security

https://packages.ubuntu.com/mantic/git-lfs

That page along gives me great details, including Original Maintainers are more (beyond just MOTUs)

It tells me it's a community supported package (thus being found in universe), providing links to the changelog which actually confirm details from the first page I provided (ie. maintained mostly by Debian)

How far in this exploration I'd go will depend on how secure I want to be, which maybe exploring in upstream Debian sid, then to its' source, looking at past changes & how regular they are especially post-changes occurring further upstream etc. etc.

How secure something is is very subjective though, and how far I'll go will depend nervous I am, and how much security matters for my intended usage.

guiverc
  • 30,396
  • You didn't provide release details; if you provided that detail I'd have chosen another release, and there are many ways of looking at this detail too (including from terminal without clicking links on a browser that I mention above as it's easier for readers on sites such as this) – guiverc Jul 09 '23 at 03:03
  • For my own assessments, I'm aware of Ubuntu development (inc. freeze cycles) given they're extremely easy to predict (esp. given 3rd Thursday of month of April & October release dates and only minor changes from that if required), but if I look at Debian where there aren't defined dates (esp. freezes in that it's decided 'by consensus' with details on ML threads) its still available online thus freezes can be somewhat known, which explain differences in when packages get uploaded/changed esp. from further upstream of Debian with somewhat clear 'comfort' - this research gives 'comfort' – guiverc Jul 09 '23 at 03:09
  • Nice, the "tells me it's a community supported package" is pretty much 90% the answer, but the rest of the answer was great as well. The question was asked at a level where I didn't know how to understand package details, and you helped clarify how to interpret them. Thanks! – allidoiswin Jul 09 '23 at 03:39