Why/how is it possible to "hide" PPA's ? sounds unsafe

Question

I have installed "beyond compare" from scooter software.

now, on apt update I get:

Ign:17 https://www.scootersoftware.com bcompare4 InRelease                                            
Get:18 https://www.scootersoftware.com bcompare4 Release [1 731 B]
Get:19 https://www.scootersoftware.com bcompare4 Release.gpg [836 B]
Err:19 https://www.scootersoftware.com bcompare4 Release.gpg
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY EC34ED227AFAE3F2
Fetched 327 kB in 1s (219 kB/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up-to-date.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://www.scootersoftware.com bcompare4 Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY EC34ED227AFAE3F2
W: Failed to fetch https://www.scootersoftware.com/dists/bcompare4/Release.gpg  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY EC34ED227AFAE3F2
W: Some index files failed to download. They have been ignored, or old ones used instead.

The issue is that I cannot see that source among my sources in the "Software & Updates" (GUI) - nor is it visible in /etc/apt/sources.list

So - this makes me think: what other PPA's may I have that I am not aware of? - this does not seem to be very wise/safe. I get it - I did install the software, but still, I'd expect the added source to be visible among PPA's ? - or am I missing something?

Have you checked in /etc/apt/sources.list.d ? However, at least on my system the repos included there are not "hidden" in any way - I do see them in "Software & Updates" — raj, Oct 28 '23 at 21:18
"I cannot see that source among my sources in the "Software & Updates" (GUI)"... Well, what do you see there? — muru, Oct 29 '23 at 03:25
Does this answer your question? How do I fix the GPG error "NO_PUBKEY"? — karel, Oct 31 '23 at 16:23

user535733 · Accepted Answer · 2023-12-31T12:21:45.497

2

There are two places to check. ALL your apt sources are there:

/etc/apt/sources.list
/etc/apt/sources.list.d/*

In addition, all valid sources are listed when you run sudo apt update

If your source isn't listed in those two places, then it's not a valid source for apt to use.

If your source shows a warning when apt tries to use it, then apt cannot use it. (It's not a useful source) You should fix that source...or remove it.

Only valid, useful sources will show up in the GUI. There is little point populating the GUI with broken trash.

Keeping track of apt sources (including PPAs) is the human's responsibility. It cannot be delegated. It's an element of keeping your system secure. Apt is a helpful tool, but it cannot do your job for you.

edited Dec 31 '23 at 12:21

answered Oct 29 '23 at 02:30

user535733

62,253

1

Yes, they were in /etc/apt/sources.list.d/ - well organized inside ... I think they were supposed to show up in the GUI too? – user105939 Oct 29 '23 at 07:02
Hit the Super key (Win-key) and start typing "Software & updates", find the pinkish icon and click on it. Then activate the "Other software"-tab and look for your PPA. – Hannu Oct 29 '23 at 07:09

score 0 · Answer 2 · answered Dec 31 '23 at 11:24

The question is already answered, but I just wanted to clarify why you got the error you got in the first place because a google search for "scootersoftware ppa" led me here.

Scooter Software seems to have released a newer version of bcompare4 around the time you asked the question (v4.4.7, in Oct 2023). While doing this I'm supposing they changed something about their PPA and that caused the error on your side with the update. I had the same issue, it was resolved after I updated the tool from v4.4.6 to v4.4.7.

Why/how is it possible to "hide" PPA's ? sounds unsafe

2 Answers2