Can I trust repositories

Question

How can I trust any Repositories like

sudo add-apt-repository ppa:upubuntu-com/tor

or

sudo add-apt-repository ppa:wagungs/Kali-linux

GPG keys are a method of public key cryptography, and are safe enough to confirm that you did indeed download the package from where you were supposed to. Whether to trust that source or not cannot be verified by a key check (except probably keys which are universally established (eg Ubuntu package signing keys)). — xyz, Aug 05 '14 at 14:37

score 7 · Accepted Answer · answered Aug 05 '14 at 14:29

7

You can trust them as much as you trust the people who put them up. Anyone can put up a PPA; a repository owned by some random user is obviously less trustworthy than the official LibreOffice PPA, for example.

answered Aug 05 '14 at 14:29

evilsoup

4,485

score 2 · Answer 2 · answered Aug 05 '14 at 14:19

2

Good question. The short answer is: you can't trust them.

answered Aug 05 '14 at 14:19

It's a layman's answer and doesn't consider the private repository set up locally for an organisation. Nuking everything isn't the solution. – Tarun Maganti Feb 25 '20 at 05:54

Can I trust repositories

2 Answers2