Can 3rd-party package repositories be trusted? (Are there criteria to test if they're trustworthy?)

Question

(Note: no disrespect whatever to the hard work people that people who run 3rd-party repositories put in.)

I came across a package repository, a ppa, that was suggested for getting php5.5 on Ubuntu 12.04. This has to be added to the list of repositories that Ubuntu knows to download software.

In general, can such 3rd-party repositories be trusted?

In this particular case, the ppa seems to be well regarded - and I would certainly want to support this and recommend it.

Is there a checklist or criteria one can follow to arrive at a decision to trust a 3rd-party repository?

The aim here is to avoid downloading malware or anything else that may damage the computer.

Answer 1

In my opinion, you can't technically trust a PPA. If it uploads a newer version of a certaing package, you will autmatically get the new one. By that, a PPA can technically replace any package on your system. (Source: German article on ubuntuusers.de).

When I install a PPA I look for its reputation on the web. I note down what I use it for and deactivate it as soon as I don't need the packages served by it anymore. Furthermore, I usally take a look which packages are offered by the PPA.

Another solution I heard of (which is honestly too complicated for me) is to add the PPA and install the desired package (and ONLY the package). Afterwards, one deactivates the PPA. To get updates, the PPA is activated, ONLY the desired packages are updated and the PPA get deactivated again afterwards.