security of the universe repository

Amichai Rotman amichai at iglu.org.il
Wed Dec 19 10:54:01 UTC 2012 

Although it's a bit old, it is still relevant:

https://help.ubuntu.com/10.04/add-applications/C/index.html

Does this answer your questions?


  Amichai Rotman
 Penguin - FLOSS Computer Service and Technical Consulting
 +972-73-7962360 ||  +972-54-4605787


On Wed, Dec 19, 2012 at 2:35 AM, Chandra Amarasingham <
camarasingham at yahoo.com> wrote:

>  Thanks Tom and Amichai.
>
> I had assumed that the packages in Main go through a more stringent
> auditing process before inclusion thus perhaps being more secure. If it's
> just support and update I guess one is as secure as the other at least when
> initially delivered.
>
> I have a vague recollection that malicious code have entered open source
> projects and subsequently have to be cleaned even perhaps in the source
> code.  I guess this is unavoidable (as risk in life is unavoidable) but was
> wondering what "best practice" in the open source world would look like
> regarding installation of software (ie. minimizing the risk, not only to
> protect one's self but one's customers, etc, who derive work from one's
> system) especially from community maintained sources.
>
> If some malicious code is found to have entered an ubuntu system, would
> there be an audit trail which would enable efficient investigation of where
> and when it may have entered? and who would know more about it?  I
> understand that community maintained packages are signed, etc.
>
> I am little vague on how the whole open source process works....debian to
> ubuntu, source to binaries, etc....., and have thought that if there was a
> registered company behind a repository it may have higher credibility.
>
> Are there things you can do to monitor when executables on your system get
> changed, eg. run a hash on all executables regularly..., etc...(probably
> would take a long time)?
>
> These are some of my thoughts...
> Chandra
>
>
>
> On 12/19/2012 01:01 AM, Amichai Rotman wrote:
>
> I think the OP is referring to the fact the Universe / Multiverse
> repositories are not supported directly by Canonical, but by the community.
> So the OP, being a long time Windows user, I guess, assumes it is
> potentially open to malicious code...
>
>  Chandra: No need to worry!
>
>  Although Linux viruses exist, they pose very little threat to your
> Ubuntu. On the other hand, if you use the same computer with Windows, and
> download files from the Internet, make sure to scan them regularly with an
> updated Anti Virus. You can safely install ClamAV + ClamTk (it's graphical
> front-end) and use it to scan your Windows partition from within Ubuntu.
>
>  The fact that the  Universe / Multiverse repositories are not supported
> by Canonical just means you have to seek the community's help and support
> for the applications you installed from them, and not contact Canonical.
>
>  I hope I was helpful and didn't confused you even further ;-)
>
>
>     Amichai Rotman
>  Penguin - FLOSS Computer Service and Technical Consulting
>  +972-73-7962360 ||  +972-54-4605787
>
>
> On Tue, Dec 18, 2012 at 2:45 PM, Tom H <tomh0665 at gmail.com> wrote:
>
>> On Tue, Dec 18, 2012 at 12:57 AM, Chandra Amarasingham
>> <camarasingham at yahoo.com> wrote:
>> >
>> > I am wondering if there is an "official" word on the security of the
>> > universe repository compared to the Main repository. By security I mean
>> free
>> > from malicious code.
>> >
>> > I don't think there are anti-virus programs in the Main repository, but
>> I
>> > think clam anti-virus is in the universe repository.....but that means
>> I am
>> > not able to be confident that the clam anti-virus itself does have
>> malicious
>> > aspects (eg. from other sources...).
>> >
>> > I thought it would be nice to have some scanning software in the main
>> > repository which can be used to scan software from other repositories
>> which
>> > don't enjoy the same level of confidence.
>>
>>  Why would the universe/multiverse repositories be insecure? They're
>> packages rebuilt from Debian just like those in main/restricted.
>>
>> --
>> ubuntu-users mailing list
>> ubuntu-users at lists.ubuntu.com
>> Modify settings or unsubscribe at:
>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
>>
>
>
>
>
>
> --
> ubuntu-users mailing list
> ubuntu-users at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20121219/c87fa187/attachment.html>

More information about the ubuntu-users mailing list