[DC LoCo] thoughs about a tool to verify certain PPAs

Kenneth Stailey kstailey at yahoo.com
Tue Oct 12 21:55:34 BST 2010

--- On Tue, 10/12/10, Daniel Chen <seven.steps at gmail.com> wrote:

> From: Daniel Chen <seven.steps at gmail.com>
> Subject: Re: [DC LoCo] thoughs about a tool to verify certain PPAs
> To: "Kenneth Stailey" <kstailey at yahoo.com>
> Cc: ubuntu-us-dc at lists.ubuntu.com
> Date: Tuesday, October 12, 2010, 8:47 AM
> On Tue, Oct 12, 2010 at 8:23 AM,
> Kenneth Stailey <kstailey at yahoo.com>
> wrote:
> > Many PPAs are simply the upstream source plus the
> "debian" directory.
> ...which may not be "good" packaging, but I digress

I'm curious to know what you mean by that.

As an example take this:


I produce it because I use it because it provides something I can't get elsewhere: consistent FreeIPMI for supported Ubuntu releases.  If you work in an environment with a lot of computers that use Ubuntu like I do you may find you want hardware monitoring to be the same on all of them.  We use OpsCode Chef to deploy FreeIPMI and hook it into Nagios.

The PPA is nothing more than the upstream vendor's source with my debian directory shoved in it.

Is this "good" packaging or not by your standards?  What would you do differently?

>> It should not be so hard to write a tool that could
>> download the upstream providers source code and the source
>> code from a PPA and run a diff on them.
> If you mean "a more automated tool," there's room for
> improving how
> the various bzr branches on Launchpad are exposed. 
> The (manual)
> functionality itself of which you speak is already
> available to a high
> degree.

I wasn't even thinking about "bzr branches" when I wrote "upstream".
>> It would help prove that there's no monkey business in
>> someone's PPA.
> "Proof" of no monkey business is non-trivial, but at least
> there's
> http://www.dwheeler.com/trusting-trust/
> .

"Help prove" is different than "proof".

This is about determining whether or not to use a PPA from an unknown source.  If the PPA turns out to be the "upstream" as in "actual developer's" unmodified source and you trust that developer then you may want to use the PPA.

In the FreeIPMI case Al Chu at anl.gov seems pretty trustworthy.
>> You still would have to ascertain that the
>> debian/rules etc. do not have malware in them.
> Eh?  Plain-text (Makefile stub)?

If the "actual developer's unmodified source" matches and is trusted then the "debian directory" may still be malware.

> > But would it be a step in the right direction?
> A step forward, yes.  You speak mostly of automation
> and UI enhancements, and that's usually a Good Thing.
> Best,
> -Dan

More information about the Ubuntu-us-dc mailing list