How does ubuntu ensure software security bfrom external developers

Question

I was reading on the hack against the Transmission Bittorrent Client. http://arstechnica.com/security/2016/03/first-mac-targeting-ransomware-hits-transmission-users-researchers-say/

It got me thinking about how would Ubuntu protect itself against this kind of thing. Do the Ubuntu Devs review all software that they put in their repositories or do they trust that software is secure and host it anyway?

Answer 1

There are multiple levels of security/responsibility:

• Developers:

  • write the source code -> check security of own code and from other developers
  • manage code repositories -> should check patches before accepting them, keep their repository secure
  • offer source downloads -> should keep download site secure, provide signed tarballs and checksums

• Packaging toolchain:

  • Packagers: should package properly (configuration options, config files, pre/post-install scripts), sign packages
  • Repository managers: Properly vet package submissions
  • Distribution managers: Keep downloads, checksums, signatures, etc secure
  • All of them: Make sure security fixes make it into the distro package repositories as quickly as possible.
  • More info: https://wiki.ubuntu.com/MOTU

• SecureApt:

  • Makes sure that downloaded packages and updates have not been tampered with (checksum and signature checks)

  • More info:

    • https://wiki.debian.org/SecureApt
    • https://help.ubuntu.com/community/SecureApt

• Users:

  • Because most code for Ubuntu packages is open source and the packaging/signing/etc process is documented, anyone can check for security issues in principle and report unusual behaviour.
  • Should update regularly, but also follow security news if possible in case software updates or .iso files are compromised for instance... :/ ( Example: http://blog.linuxmint.com/?p=2994 )
  • Check .iso files before installing from them (checksums+signature, avoid unofficial sources)
  • Not ignore warnings like "WARNING: The following packages cannot be authenticated!": Why am I getting authentication errors for packages from an Ubuntu repository?

Do the Ubuntu Devs review all software that they put in their repositories or do they trust that software is secure and host it anyway?

My guess is that they mainly trust the original developers (and users to report issues). But if any security problems are found, everyone involved should collaborate to get things patched as quickly as possible. If Ubuntu receives bug reports, they should transmit the information upstream (i.e. to developers) and the other way around, if developers find bugs, they should patch them quickly and notify downstream (i.e. packagers). And everybody should keep their private keys secure and revoke keys if they have been compromised.

P.S.: You might find more info on https://security.stackexchange.com/ as well.