4

Is the action of adding non-official (third party) repositories to Linux dangerous by itself?

For example, in Debian environments one could do:

add-apt-repository ppa:some_non_official_repository/nor_name

I don't mean to the actual download of software from a given non official repository, but of the action of just adding the repository to a system.

David
  • 15,814
  • 3
  • 48
  • 73
Arcticooling
  • 269
  • 2
  • 13

2 Answers2

7

The adding of the repository itself is not dangerous. But you will probably do an apt update and apt upgrade (or similar) sometimes after you've added the repository. The apt upgrade will cause any software already existing on the system to be updated with a newer version if possible - no matter if this newer version comes from the same repository as the previous version.

This means if the new repository you've just added claims to have newer versions of some software you already have on your system, then the newer version from the recently added repository will be used to replace the existing software version. This way backdoors or just buggy software with exploitable vulnerabilities could be added to your system - and this is definitely dangerous.

Note that the contents of a repository can change after you've added it as trusted. This means even if the repository does not currently contain software which you have on your system already it might contain such software in the future. Thus you should not base your trust on the current contents of the repository but decide if you trust everybody which can make changes to the repository.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • you can avoid point 2 by pinning the versions you already have on the system so they don't get updated. – Gartral Jan 14 '18 at 21:08
  • @Gartral: since it is unknown what software might be once available from the new repository you essentially suggesr to pin every software on your system to its current version. But this means that you will get no more updates, i.e. it would be the same as disabling update completely. While you won't get any bad stuff from the new repository this way you also won't get any security relevant updates for your current software - which is definitely a problem. – Steffen Ullrich Jan 14 '18 at 21:29
2

By itself, no, the act of adding a new repo too the repo manager isn't particularly dangerous.. and it can be argued that adding a repo from a reputable source and following through with an upgrade/install after that repo has been trusted isn't even dangerous. The inherent problem is adding every and all repos that say they offer the newest versions of things too your system. I'm not afraid too admit that more than once i've borked my system in a fit of frustration wanting the latest version of a particular piece of software and been too lazy or too resource constrained too compile if from the authors' git/svn/bazaar/whatever they use for version management.

Arcticooling
  • 269
  • 2
  • 13
Gartral
  • 189
  • 4