0

Main Question:

At which point can I trust external, unofficial repos? Are there security implications for blindingly adding third party repos to a workstation? However, I've been very suspect of including non-offical repos.

Background and my particular case:

I'd like to install a Juce. From what I understand, this is a stand alone utility to host VST (virtual instruments used in music production). I've found what appears to be it's source on github and have tried to compile that in a throw away VM. However, after receiving an errors on install (to which I may open a ticket here or on github later), I was curious to see if anyone had packaged it for Ubuntu.

Rick
  • 2,847

1 Answers1

1

There are a few problems:

  • Any repo can overwrite any package by default. You can pin a repo to only allow certain packages but that doesn't help against this because...
  • Those packages can write files anywhere. They'd have to not overwrite any existing files but there are plenty of places you could hide a malicious file, which isn't to mention...
  • Packages can run anything as root on install and removal.

So yes, if you can't trust the controller of a repository (or trust that they're vetting the code that's going into the repo), you shouldn't be using that repo. A malicious package is game over.

Community
  • 1
Oli
  • 293,335
  • As I thought. I generally do not add 3rd party repos, but for the particular situation, since Juce should be in 16.04, I should just wait a month. Upvote and many thanks. – Rick Mar 10 '16 at 17:24