Nothing is immune to supply chain attacks. The supply chain attack has been pretty common over the last year or two at this point in other repository based software delivery systems.<div><br></div><div>See CCleaner, Chrome extensions, Android app stores, sometimes even the Apple app store.</div><div><br></div><div>Your security system is only as secure as the weakest link in the chain and who said you need to be good at security just to be an app or package developer.</div><div><br></div><div>Compromise the source code and you've now technically created a far more potent attack then you could have other ways. Because now in a world where you're almost asking for trouble if you're not constantly on top of your updates you're damned if you do damned if you don't. <br><br><div class="gmail_quote"><div dir="ltr">On Sun, May 13, 2018, 12:03 PM Khalid Baheyeldin <<a href="mailto:kb@2bits.com">kb@2bits.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">On Sun, May 13, 2018 at 11:53 AM, Remi Gauvin <span dir="ltr"><<a href="mailto:remi@georgianit.com" target="_blank">remi@georgianit.com</a>></span> wrote:<br><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span>On 2018-05-13 11:15 AM, Khalid Baheyeldin wrote:<br>
</span><span>> We were sheltered because the tried and tested methodology of repositories<br>
> made us immune to this for ~ 25 years or so.<br>
<br>
</span>One of the things I like about Ubuntu is the great ecosystem of PPA's.<br>
Over the past several years, I found PPA's did a great job of filling<br>
the gaps between what makes it into a relatively stable distro, and<br>
those software packages I need to be newer for a specific task. PPA's<br>
were certainly more convenient that downloading and compiling from source.<br>
<br>
In this regards, I'm a little torn. On the one hand, it's just as easy<br>
for a bad or careless actor to put a bad package in a PPA. Without<br>
Snaps isolation, such a package would root a system, essential requiring<br>
a fresh install, or snapshot restore to guarantee system integrity. Not<br>
to mention her irrevocable lose of private/secret information.<br>
<br>
However, in the case of PPA's I could carefully choose which PPA I drew<br>
packages from, (and therefore, essentially, who to trust with the<br>
system.) With the snap store just allowing anyone to put whatever in<br>
one big repository...well,, we all already know exactly where that<br>
leads, and Ubuntu has provided an example in record time.</blockquote></div><br></div></div><div dir="ltr"><div class="gmail_extra">While PPAs can include malware, it less likely. Why? Because PPAs are <br>usually created by someone to fill a niche (like you say). For example,<br></div><div class="gmail_extra">having older, or newer, versions of packages available. <br><br></div><div class="gmail_extra">Examples include:<br><br></div><div class="gmail_extra">Older PHP versions on LTS releases, <br>Newer still experimental GIMP releases with 16/32 bit colour, <br>Newer KStars version with all the latest astrophotography features<br><br></div><div class="gmail_extra">Usually, these PPAs have their source published somewhere (Launchpad)<br></div><div class="gmail_extra">and are built nightly automatically from that source. So the source can <br>be inspected. <br><br>And usually, there is a community behind these, and many users. If <br>someone tries to slip in malware, it will be discovered quickly.<br><br></div><div class="gmail_extra">Reminds of some 12 or so years back, when the founder of Wordpress <br></div><div class="gmail_extra">tried to slip in invisible link farm stuff in Wordpress, with negative CSS<br></div><div class="gmail_extra">offsets, but was outed quickly, and apologized.<br></div></div>
_______________________________________________<br>
kwlug-disc mailing list<br>
<a href="mailto:kwlug-disc@kwlug.org" target="_blank">kwlug-disc@kwlug.org</a><br>
<a href="http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org" rel="noreferrer" target="_blank">http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org</a><br>
</blockquote></div></div>