The problem with 3rd party repositories

package
I am a big supporter of the idea of a common repository format for all software management tools around Linux. Because if there would additionally be an easy way to include and exclude standard 3rd party repositories they would eventually find their way into more corporate environments, and would maybe become the default way to update software in Linux environments – at the moment we already have repositories for skype and macromedia, but there are plenty of companies which do not provide repositories at all.

But: whenever you install software from someone else, you should be aware that this person can gain total control of your entire system. The same is with repositories where a person can easily insert software packages which update your system packages (as long as you don’t specify the packages). And that’s a big security risk!
So big that no one should ever enable any third party repository he or she doesn’t fully trust in!

A very good example of what can happen when you activate the wrong repository is the so called Treviño Story. A repository maintainer of a small Ubuntu development repository got in the situation that suddenly his repository was used by much to many people – and he decided to change the wallpaper to a warning.
In my opinion he did exactly the right thing: showing people that they have to start thinking, without harming their systems. He could have done worse things, like automatically deleting his entry in the sources.list or just transform all of these machines into zombies. And yes, the more favourite Linux becomes, the more problems we will see in the near future with captured and/or evil repositories.

One way to deal with such problems by the way would be to have two security mechanisms:
First one mechanism which makes it impossible for non-original repositories to replace a system package. And another mechanism which makes sure that non-original repositories are only allowed to install their stuff into /opt/ or anything like that.
These two options would make the machine more secure – not perfect, but at least better.

But before we can start thinking about that we need two things first: a common and widely accepted and used package format and a common and widely accepted repository format. Shouldn’t be so hard even from a realistic point of view, but unfortunately nothing happens in that area.

3 thoughts on “The problem with 3rd party repositories”

  1. Actually, this is going to become more common and more of a risk as linux becomes more popular. Using “community” supported repositories and community volunteered bandwidth was a fine idea when the linux community was small, but as it grows it will be necessary to have commerical repositories for popular distributions where the user pays a small fee for year to have access to a fast repository server containing all the latest packages. Mandriva may be able to migrate its Mandriva Club to that type of system, where users pay for bandwidth.

    Canonical with the increasingly popular ubuntu may have to do something along those lines as well.

  2. community repositories is actually a good way to diversify bandwidth recources from the main repositories , it also speeds up development on bleeding edge sofatwares through feedbacks from users using those repositories , if there is just a community body, that can designate on who’s repository is trustworthy, then we can minimize the problem of unsecure repositories along with liquidat’s idea.

    i think paid bandwidth is not a good idea , mirrors already exist to solve bandwidth problem.

  3. I also think that the current mirror system is good enough to deal with the bandwith problem: there is no problem at all for most universities to support some linux distributions with their bandwith because the projects are mostly free and sometimes are even used by the universities themselves.
    Also companies are joining the mirror system more and more, at least here in Germany.

    It works for Firefox as well, and that one is much more often used than all Linux distributions together.

Comments are closed.