How is it ensured that a trusted user can't compile a package with malware and place it in the universe repo.
Asked
Active
Viewed 679 times
12
-
4The sad truth, I think, is that it's fairly easy to slip things in. Namely, there's just not enough manpower to thoroughly screen every package. That said, if a package is proven to contain malware, and has such maliciousness in it, it could be reported and swiftly nuked. I have no actual real examples of this happening, because it happens either so rarely or has never happened, so there's not a ton of precedence. (Not an answer because most of this is speculation based with no hard facts) – Thomas Ward Jul 07 '16 at 00:26
-
1This recent Q&A from InformationSecurity is very much related: Has malware ever been found in a package from a large Linux distribution and what is done to prevent this from occurring? – Jonas Czech Jul 07 '16 at 07:42
-
3Possible duplicate of Are Ubuntu packages security audited? – Sergiy Kolodyazhnyy Nov 09 '19 at 07:45
1 Answers
9
NOTE: This is answered more in-depth by a member of Ubuntu Security Team in this answer. My answer below was written two years prior to the linked answer.
Canonical has Ubuntu Security Team, which is a paid group, that professionally reviews and supports software submitted to Ubuntu archives, as well as releasing fixes (aka the security updates) .
From the Ubuntu Wiki:
The Ubuntu Security Team often performs audits on software before it is to be officially supported. Once vulnerabilities are found, the Security Team uses responsible disclosure to let others know about the issue.
The Ubuntu Security Team doesn't work on the packages alone but does collaborate with others, in particular Debian security team, and vulnerability trackers such as MITRE CVE database , and maintains its own CVE Tracker.
The same wiki page also lists that they're actively involved in development of tools to protect form new vulnerabilities; among others , the tools are AppArmor, CompilerFlags, etc.
In particular, Security Team FAQ states:
Software installation tools that come bundled with Ubuntu, such as the Ubuntu Software Centre and Update Manager, validate packages when they are installed to make sure they are secure and have not been manipulated or trojaned during their download. Also, a large subset of packages in the archive are officially supported by the Ubuntu Security Team and get timely updates for security issues that may arise
So in other words put by thomasrutter , the packages are signed cryptographically to ensure their validation.
The specific repositories that Security team oversees are stated in the FAQ as well:
All binary packages in main and restricted are supported by the Ubuntu Security team for the life of an Ubuntu release, while binary packages in universe and multiverse are supported by the Ubuntu community.
Of course, software nowadays runs in millions and millions of lines of code, in variety of languages, so as our esteemed moderator ThomasW. noted properly , the security team are humans too, and they can't possibly keep track of everything. So yes, some vulnerabilities and bugs can slip through , especially in universe and multiverse repositories , but there are people and mechanisms in place to ensure that those vulnerabilities and bugs don't run rampant .
Sergiy Kolodyazhnyy
- 105,154
- 20
- 279
- 497
-
So for secure servers it is beneficial to the security profile to use only main? – user Jul 07 '16 at 01:15
-
1@user Although there's no official statement on that, I would say yes - you want to use repositories that are actively supported, while universe packages may be unmaintained for long time. Server security is a very broad topic, though, there's no single solution. – Sergiy Kolodyazhnyy Jul 07 '16 at 01:18
-
1On a side note, it's recommended to avoid X11 and gui apps for servers : http://askubuntu.com/a/159607/295286 Also , consider avoiding PPAs http://askubuntu.com/a/7667/295286 – Sergiy Kolodyazhnyy Jul 07 '16 at 01:27
-
1@user The concept of caveat emptor applies for every time you install software. There's a lot of software that is in Universe that are very good and not malware. Compared to that, there's very little observed malware in the repositories from my observations. Blindly restricting yourself to main will block a lot of useful software. That said, servers should avoid GUIs, PPAs that aren't widely vetted by the community should also be avoided (PPAs are where caveat emptor really applies). I personally advise to not just "blindly block repository pockets" ... – Thomas Ward Jul 07 '16 at 01:30
-
1... but that's just my opinion as a server administrator, not as a moderator on the site. (I only install from trusted sources, and I don't blindly install software without doing a bit of research on it) – Thomas Ward Jul 07 '16 at 01:30
-
You can use
apt-srcto get a copy of the source for any open-source package. Thereafter, you may apply any security testing you wish. – waltinator Jul 07 '16 at 02:13 -
1@waltinator well, yeah, that can be done, but OP mainly is interested in how Canonical takes care of security on their end. Which is what my answer addressed somewhat – Sergiy Kolodyazhnyy Jul 07 '16 at 02:35