6

I'm very new to making Ubuntu my daily driver OS. My question is how do I determine if an application is downloaded from a reputable source using apt commands? I'm not sure where to find information on packages and how to verify the authors of said packages. The package I've already installed uses an API to one drive and is recognized by one drive as an unverified publisher (EDIT: I went back and discovered Onedrive by abraunegg is verified). That being said many people have spoken highly of this application that was installed by the apt command without adding additional repositories to search within.

So far I had a friend mention to me that out of the box apt repositories are curated fairly well. I just shouldn't add more repositories for apt to search from if I want to maintain a completely safe environment. Thanks for any information this community can provide me and sorry for asking such a question I just wasn't sure who to turn too for more information.

churchill291
  • 91
  • 1
    "maintain a completely safe environment"? This is a well-known mythical system state. The "threat environment" is constantly evolving. Do a Threat/Risk Assessment. Learn how things work and how to manage rhem. Don't do what the internet tells you without fully understanding the commands. Alternatively, disconnect from the internet forever. To be absolutely, completely "safe", disconnect from power, too. – waltinator Sep 09 '23 at 03:34
  • 1
    Side note: while checking if applications are safe prior to installing them is good, I'd still encourage you to have a backup of anything important. Ideally one that is disconnected so if your computer got hacked, the backup would be safe. Even better if said backup is redundant (although RAID is not a backup) and maybe off-site too. See also this. Not endorsing Seagate specifically, but see also this for more info on one approach – cocomac Sep 09 '23 at 04:35
  • It is nice to keep your system safe and working well, the last few years it seems much easier to get all your information from outside sources. Why hack one person's computer when you can hack the big guys and get ten of thousands. Using unknown commands from the internet can do more damage. Can google what does do, before using. – crip659 Sep 09 '23 at 13:19
  • 1
    What does it mean for a package to be "safe" for you? I see you have accepted an answer - did that convince you the package is safe? If so, why? None of that is a even strong indicator that anything is safe. The only strong indicator that you could have short of a code audit (and necessary even with that) is a reproducible build - and this package doesn't have one, so you can't be even sure that the package you have is built from the code you see. The rest of it is just pointless theatre. – muru Sep 09 '23 at 15:06
  • 1
    @muru - The package has a 100% repeatable build process, so I am unsure where this claim is coming from – abraunegg Sep 10 '23 at 19:27
  • @abraunegg Repeatable or reproducible? Reproducible build is a technical term, where rebuilding the same sources in the same build environment result in the exact same compiled binary, down to the bit. See the screenshot in the answer: https://i.stack.imgur.com/MKoMG.png "Does not build reproducibly during testing" – muru Sep 10 '23 at 22:50
  • @muru - If you actually drill into that actual item - it is flagged against version 1.1.20170919-2 - which is the very old 'skilion' client ... IMHO this 'note' should actually be removed as it is no longer applicable or even relevant. – abraunegg Sep 10 '23 at 23:11
  • @abraunegg sure, but the answer doesn't. I'd wager neither did OP. And that's what my question was about. Just a note though, when I checked the page, it said that note had been last updated within a day "Last update: 2023-09-10 12:51" – muru Sep 10 '23 at 23:22
  • @abraunegg here:https://tests.reproducible-builds.org/debian/rb-pkg/bookworm/amd64/onedrive.html - the latest 2.4 builds aren't reproducible either, so I don't know what you were looking at. 1.1 might be first version where this was flagged, but it looks like it's still the case in 2.4. For more info on reproducible builds, see https://reproducible-builds.org/ – muru Sep 11 '23 at 00:17

3 Answers3

15

Let's work upstream to see where this software comes from.

First, let's ask apt for some basic information:

$ apt show onedrive
Package: onedrive
...
Section: universe/net
...
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Original-Maintainer: Sebastien Badia <sbadia@debian.org>
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
...
Homepage: https://github.com/abraunegg/onedrive
...
Description: folder synchronization with OneDrive
 OneDrive is the cloud storage system of Microsoft. This package provides
 the command line client specialising in synchronizing with OneDrive cloud
 storage.

Next, let's check the reported bugs for the Ubuntu package: https://bugs.launchpad.net/ubuntu/+source/onedrive

  • Result: Only two reported bugs, neither of which seems a security concern.

    enter image description here

Now let's go upstream to Debian: https://tracker.debian.org/pkg/onedrive

  • Result: Lots of maintainer action. New uploads, testing, backports. No serious actions needed. These are all good signs.

    enter image description here

And let's look at Debian's list of bugs: https://bugs.debian.org/cgi-bin/pkgreport.cgi?dist=unstable;package=onedrive

  • Result. Few bugs reported, none seem a security concern.

    enter image description here

Finally, let's go upstream and look at the source project on GitHub: https://github.com/abraunegg/onedrive

  • Result: Active project, many contributors, new work being added, 16 reported "issues" (feature requests and bugs) that look fairly typical.

    enter image description here

So the upshot is that this software comes from a seemingly healthy upstream project, is actively maintained at Debian, and has (apparently) no security-related bugs reported at any level.

It’s as safe as you can get for almost any software, short of doing a manual code audit or writing it yourself. But you can check the provenance this way is because it is Open Source software.

user535733
  • 62,253
  • 5
    ‘About as safe as you can get for Open Source software’. It’s as safe as you can get for almost any software, short of doing a manual code audit or writing it yourself. But the only reason you can check the provenance this way is because it’s Open Source software. – Austin Hemmelgarn Sep 09 '23 at 11:53
  • @AustinHemmelgarn a most excellent point. Thank you! I have shamelessly stolen it with only slight editing for the final paragraph. – user535733 Sep 09 '23 at 14:49
  • Disclaimer: I am the developer of the tool. Many thanks for providing this detailed analysis - greatly appreciated. Also as an FYI - the 'Issues' are mainly Feature Requests .. not Bugs :) – abraunegg Sep 10 '23 at 19:24
  • @abraunegg thanks! Suitably edited to reflect feature requests. – user535733 Sep 11 '23 at 13:37
2

Your friend is right. As long as you install official applications from the official repositories that came with the operating system, you are almost guaranteed to be downloading safe and legit software. Don't go around adding random repositories without good reason, and do research on such repositories before adding them.

rando
  • 281
2

Disclaimer: I am the developer of the 'onedrive' application.

The package I've already installed uses an API to one drive and is recognized by one drive as an unverified publisher.

The application is actually verified!

enter image description here

For further details, please read: https://github.com/abraunegg/onedrive/blob/master/docs/application-security.md

abraunegg
  • 778