security of the universe repository

Chandra Amarasingham camarasingham at
Wed Dec 19 00:35:47 UTC 2012

Thanks Tom and Amichai.

I had assumed that the packages in Main go through a more stringent 
auditing process before inclusion thus perhaps being more secure. If 
it's just support and update I guess one is as secure as the other at 
least when initially delivered.

I have a vague recollection that malicious code have entered open source 
projects and subsequently have to be cleaned even perhaps in the source 
code.  I guess this is unavoidable (as risk in life is unavoidable) but 
was wondering what "best practice" in the open source world would look 
like regarding installation of software (ie. minimizing the risk, not 
only to protect one's self but one's customers, etc, who derive work 
from one's system) especially from community maintained sources.

If some malicious code is found to have entered an ubuntu system, would 
there be an audit trail which would enable efficient investigation of 
where and when it may have entered? and who would know more about it?  I 
understand that community maintained packages are signed, etc.

I am little vague on how the whole open source process works....debian 
to ubuntu, source to binaries, etc....., and have thought that if there 
was a registered company behind a repository it may have higher credibility.

Are there things you can do to monitor when executables on your system 
get changed, eg. run a hash on all executables regularly..., 
etc...(probably would take a long time)?

These are some of my thoughts...

On 12/19/2012 01:01 AM, Amichai Rotman wrote:
> I think the OP is referring to the fact the Universe / Multiverse 
> repositories are not supported directly by Canonical, but by the 
> community. So the OP, being a long time Windows user, I guess, assumes 
> it is potentially open to malicious code...
> Chandra: No need to worry!
> Although Linux viruses exist, they pose very little threat to your 
> Ubuntu. On the other hand, if you use the same computer with Windows, 
> and download files from the Internet, make sure to scan them regularly 
> with an updated Anti Virus. You can safely install ClamAV + ClamTk 
> (it's graphical front-end) and use it to scan your Windows partition 
> from within Ubuntu.
> The fact that the  Universe / Multiverse repositories are not 
> supported by Canonical just means you have to seek the community's 
> help and support for the applications you installed from them, and not 
> contact Canonical.
> I hope I was helpful and didn't confused you even further ;-)
> 	Amichai Rotman
>  Penguin - FLOSS Computer Service and Technical Consulting
>  +972-73-7962360 || +972-54-4605787 	
> On Tue, Dec 18, 2012 at 2:45 PM, Tom H <tomh0665 at 
> <mailto:tomh0665 at>> wrote:
>     On Tue, Dec 18, 2012 <tel:2012> at 12:57 AM, Chandra Amarasingham
>     <camarasingham at <mailto:camarasingham at>> wrote:
>     >
>     > I am wondering if there is an "official" word on the security of the
>     > universe repository compared to the Main repository. By security
>     I mean free
>     > from malicious code.
>     >
>     > I don't think there are anti-virus programs in the Main
>     repository, but I
>     > think clam anti-virus is in the universe repository.....but that
>     means I am
>     > not able to be confident that the clam anti-virus itself does
>     have malicious
>     > aspects (eg. from other sources...).
>     >
>     > I thought it would be nice to have some scanning software in the
>     main
>     > repository which can be used to scan software from other
>     repositories which
>     > don't enjoy the same level of confidence.
>     Why would the universe/multiverse repositories be insecure? They're
>     packages rebuilt from Debian just like those in main/restricted.
>     --
>     ubuntu-users mailing list
>     ubuntu-users at <mailto:ubuntu-users at>
>     Modify settings or unsubscribe at:

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the ubuntu-users mailing list