I haven't been able to figure this out by searching. If I use:
sudo apt-get install package_name
where does that package actually come from? How can I tell if it comes from a trusted source?
This question indicates that packages are installed from a "Trusted Pool." Is this correct, if so, how does this work?
I know that viruses are quite rare on Linux, but I would still like to know if I am downloading something from a less than reputable source.
Software obtained / downloaded using the apt-get command in terminal is software stored in known/verified repositories or software channels from ubuntu. There are variants to the APT command that allow you to add software from other sources. Repositories are software channels.
You can check to see what repositories you are set up to use by checking what "software sources" are available to your system by checking the repository list.....
open Synaptic Package Manager go to settings click on repositories
here you can look at and configure all the software sources - or only use trusted.. etc...
if you check the tab that says "other software" you will see a more complete list of the servers your computer is set to receive from... some of the ways to update this list etc are in the link you provided
You have at least two ways of knowing where a package will come from:
Use the --print-uris option to tell apt-get to show where it will download the file from, but do nothing more.
# apt-get install iftop --print-uris
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
iftop
0 upgraded, 1 newly installed, 0 to remove and 4 not upgraded.
Need to get 35.9 kB of archives.
After this operation, 105 kB of additional disk space will be used.
'http://in.archive.ubuntu.com/ubuntu/pool/universe/i/iftop/iftop_1.0~pre2-1_amd64.deb' iftop_1.0~pre2-1_amd64.deb 35910 MD5Sum:a21d03c798bd7a553712e117b44806f5
Use apt-cache to see what are the candidates for installation and where they will be downloaded from:
# apt-cache policy iftop
iftop:
Installed: (none)
Candidate: 1.0~pre2-1
Version table:
1.0~pre2-1 0
500 http://in.archive.ubuntu.com/ubuntu/ precise/universe amd64 Packages
In general, if the URIs domains end with .ubuntu.com or .canonical.com, they can be considered trusted - these are official, first-party repositories or mirrors. Upload access to these are only granted to highly trusted developers.
If the URIs are of a different domain, check out the list of mirrors. If the domain is listed, they are also trustworthy.
Anything else, it's not certain.
Finally, for apt to consider a source trusted, it must sign its packages, and the public key of the source should be added to apt. When you add a PPA by add-apt-repository, it will try to import the PPA's key. For other repositories, you might do something like:
wget -O - http://some.site/site.pub | apt-key add -
And you're again adding that source's key to apt, marking it as trusted.
The mirrors in the list you can pick from when configuring which mirror to use via the "Software & Updates" GUI are official mirrors trusted by the Ubuntu maintainers. They select options for that list that are known to be exact mirrors of the main Ubuntu repository.
Basically, Canonical has already done the work for you when it comes to determining the trustworthiness of those mirrors, so you can generally trust them.
Theoretically, it is still possible to end up downloading "infected software" through apt-get if the integrity of your DNS server has been compromised in a way that points your mirror name of choice to a malicious source. Generally speaking, though, you can trust your ISP to provide the correct IP addresses for these mirrors, meaning you can trust them.
If you want to take DNS resolution into your own hands, though, you could always select a public DNS service such as OpenDNS or Google's public DNS
