Image of the glider from the Game of Life by John Conway
Skip to content

Untrusted Repositories

WARNING: LONG POST AHEAD.

I cannot for the life of me believe that people are gullible enough to do this. But hey, the world is made up of several people, including complete imbeciles. It's just the lack of intelligence that gets me.

Anyway, now that I've gotten your attention, let's follow a story.

Some random Ubuntu user in Italy, going by the name Trevino, decides to tell the world about a complete and comprehensive /etc/apt/sources.list that includes repositories the world over. These repositories include all the latest in software that has not made it to the Official Ubuntu Repositories. That, or the software is being experimented on by some developer, and the repository is listed for testing only, and could break your system.

Trevino doesn't bother telling you any of this. Rather, "I suggest you use it (but at your own risk)" is the only warning preceding the sources.list. But hey, he suggests you use it, so it has to be good right? Nothing could go wrong.

Heh. Hardly. I don't speak Italian, and I especially can't read it, but looking at the comments, most of the users seem pretty upset. After adding these Golden Repositories, as it will hereafter be called, and updating their system, packages start breaking all over the place.

His blog is far from what people are saying about the Golden Repositories, though. On the Ubuntuforums, there are threads all over the place (too many to put here) with users complaining that their Ubuntu desktop is broken, and they need help fixing it. After examination, it's not Ubuntu that broke their system, but the Golden Repositories!

But do you think that Trevino has learned his lesson? Hardly. He has posted his repositories to Digg, including a separate post about getting Beryl on your system (both of which made it to the front page) after everyone starts complaining about broken packages on his system. Does Trevino not realize that he is doing more harm than good? Or is this his design to begin with?

The best part? The story is far from over. One of the Golden Repositories operators noticed that the number of users on his repo went from ~5 to over 700. Curious about it, he looked into it. Of course, he found Trevino's Golden Repositories, and saw that his repository was listed.

His repo consisted of Linux-restricted-modules that were highly experimental, and could break your system unless you know exactly what you are doing. Of course, with the Golden Repositories making it to the front page of Digg, how many of those users do you think "know exactly what they are doing"? Yeah. Not many.

Well, this repo operator decided to teach a lesson to those using the Golden Repositories. He posted a wallpaper (found here and here) to his repo that would modify the default Ubuntu wallpaper. I thought it entirely appropriate:

Using untrusted repositories may cause permanent damage to your system.

This warning is shown, because you have added untrusted repositories to your software sources.

The maintainer of ANY of these repositories can easily do ANYTHING he or she wants to your system, including destroying or stealing files, stealing passwords, criminal activity through your computer, etc.

Additionally, unofficial repositories may contain packages that make the next upgrade to a new Ubuntu version fail.

You should review ALL repositories you have listed in /etc/apt/sources.list and ALL packages you have installed from untrusted sources.

This message has nothing to do with Ubuntu or Canonical. It has been installed from one of the unofficial repositories you are using.

Perfect. I couldn't agree more.

This operator, who installed that background wallpaper, has put up an account at his site. Frankly, if I were him, I would've left the wallpaper as part of the repo and not taken it out. People need to learn their lesson, and guaranteed that people are still adding the Golden Repositories to their sources.list.

What fails to surprise me, though, is gall of some people saying to blacklist this operator in the Ubuntu community. Because users are intentionally breaking their system, and he is handing out a warning to these morons? I guess I will never understand.

So, after all this, hopefully, you are not one of the r-tards adding the Golden Repositories to your sources.list, just so you can get the latest and greatest in software. If you are, there are a few things that you can do:

  • First and foremost, remove the Golden Repositories, and only have the official repos from Ubuntu, or an official Ubuntu mirror listed.
  • Remove ANY and ALL software that was installed from the Golden Repositories.
  • Comment on Trevino's blog, specifically under the Golden Repository post, that the list is doing nothing to strengthen the Ubuntu community.
  • Comment on Trevino's Digg submissions with the same content that you did on his blog.

Sure, there are "unofficial" repositories that are trusted and safe to install software. I'm going to tell you not to use them, and only use the official ones. But Debian has them, and Ubuntu has them. However, if you must use these repos, then you should only use these repositories to get the software you need, then remove them or comment them out to avoid malicious software such as trojans or keyloggers or other harmful software getting on your computer.

We're Linux users, people. We are supposed to be security conscious. That is was separates us from the rest of the computing world, so why you would want to use an untrusted and unofficial repository is beyond me. If it is because you absolutely must have the latest and greatest software- bleeding edge stuff, then Ubuntu isn't for you. Switch to Debian Sid or Gentoo.

And further, creating an unofficial repository is not the way to strengthen the Ubuntu community. If you have software that you would like others to to, then you need to learn how to build Debian packages and submit them to the Ubuntu developers. This is the way to get software to the rest of the world. Not making your own repository and posting it for the world to use.

{ 3 } Comments

  1. phoenyx using Firefox 2.0 on Ubuntu | December 8, 2006 at 5:36 pm | Permalink

    How would you recommend getting Beryl (if there is any good way)? I went here: http://ubuntu.beryl-project.org/

    small fix: there are two 'h' in the url for the second digg link.

  2. Aaron using Firefox 2.0 on Ubuntu | December 8, 2006 at 5:41 pm | Permalink

    phoenyx-

    Easy:

    1) Wait.
    2) Create and submit packages to Ubuntu.
    3) Compile from source if you HAVE to have it.
    4) Use another distro (last, and not recommended).

  3. Andrew using Mozilla Compatible 5.0 on Debian GNU/Linux | April 13, 2007 at 11:07 am | Permalink

    I'm a new ubuntu user. brand new- I've had it on my system for less than 2months and I think it's an excellent alternative to windows for a college student such as myself.

    I'm thankful for the warning against unsafe repositories and I'll certainly be taking it to heart.

    As cool as ubuntu is it doesn't tolerate a great degree of user error and I'm glad that this is one error I won't be making.

Post a Comment

Your email is never published nor shared.

Switch to our mobile site