security of the universe repository

Chandra Amarasingham camarasingham at
Thu Dec 20 02:58:48 UTC 2012

Thanks Amichai,

I had browse through that link as well as searched around the internet 
again...I found this link

The last sentence seems to imply that the Main repository does get more 
attention (perhaps significantly more) attention from ubuntu.  I would 
like to see an anti-virus (anti-malware, I don't know these terms well) 
program included in Main, that way there is some protection from other 
sources....I would think that it makes sense for Anti-virus to be part 
of the "base" system.


On 12/19/2012 09:54 PM, Amichai Rotman wrote:
> Although it's a bit old, it is still relevant:
> Does this answer your questions?
> 	Amichai Rotman
>  Penguin - FLOSS Computer Service and Technical Consulting
>  +972-73-7962360 || +972-54-4605787 	
> On Wed, Dec 19, 2012 at 2:35 AM, Chandra Amarasingham 
> <camarasingham at <mailto:camarasingham at>> wrote:
>     Thanks Tom and Amichai.
>     I had assumed that the packages in Main go through a more
>     stringent auditing process before inclusion thus perhaps being
>     more secure. If it's just support and update I guess one is as
>     secure as the other at least when initially delivered.
>     I have a vague recollection that malicious code have entered open
>     source projects and subsequently have to be cleaned even perhaps
>     in the source code.  I guess this is unavoidable (as risk in life
>     is unavoidable) but was wondering what "best practice" in the open
>     source world would look like regarding installation of software
>     (ie. minimizing the risk, not only to protect one's self but one's
>     customers, etc, who derive work from one's system) especially from
>     community maintained sources.
>     If some malicious code is found to have entered an ubuntu system,
>     would there be an audit trail which would enable efficient
>     investigation of where and when it may have entered? and who would
>     know more about it?  I understand that community maintained
>     packages are signed, etc.
>     I am little vague on how the whole open source process
>     works....debian to ubuntu, source to binaries, etc....., and have
>     thought that if there was a registered company behind a repository
>     it may have higher credibility.
>     Are there things you can do to monitor when executables on your
>     system get changed, eg. run a hash on all executables
>     regularly..., etc...(probably would take a long time)?
>     These are some of my thoughts...
>     Chandra
>     On 12/19/2012 01:01 AM, Amichai Rotman wrote:
>>     I think the OP is referring to the fact the Universe / Multiverse
>>     repositories are not supported directly by Canonical, but by the
>>     community. So the OP, being a long time Windows user, I guess,
>>     assumes it is potentially open to malicious code...
>>     Chandra: No need to worry!
>>     Although Linux viruses exist, they pose very little threat to
>>     your Ubuntu. On the other hand, if you use the same computer with
>>     Windows, and download files from the Internet, make sure to scan
>>     them regularly with an updated Anti Virus. You can safely install
>>     ClamAV + ClamTk (it's graphical front-end) and use it to scan
>>     your Windows partition from within Ubuntu.
>>     The fact that the  Universe / Multiverse repositories are not
>>     supported by Canonical just means you have to seek the
>>     community's help and support for the applications you installed
>>     from them, and not contact Canonical.
>>     I hope I was helpful and didn't confused you even further ;-)
>>     	Amichai Rotman
>>      Penguin - FLOSS Computer Service and Technical Consulting
>>     +972-73-7962360 <tel:%2B972-73-7962360> || +972-54-4605787
>>     <tel:%2B972-54-4605787> 	
>>     On Tue, Dec 18, 2012 <tel:2012> at 2:45 PM, Tom H
>>     <tomh0665 at <mailto:tomh0665 at>> wrote:
>>         On Tue, Dec 18, 2012 <tel:2012> at 12:57 AM, Chandra Amarasingham
>>         <camarasingham at <mailto:camarasingham at>> wrote:
>>         >
>>         > I am wondering if there is an "official" word on the
>>         security of the
>>         > universe repository compared to the Main repository. By
>>         security I mean free
>>         > from malicious code.
>>         >
>>         > I don't think there are anti-virus programs in the Main
>>         repository, but I
>>         > think clam anti-virus is in the universe repository.....but
>>         that means I am
>>         > not able to be confident that the clam anti-virus itself
>>         does have malicious
>>         > aspects (eg. from other sources...).
>>         >
>>         > I thought it would be nice to have some scanning software
>>         in the main
>>         > repository which can be used to scan software from other
>>         repositories which
>>         > don't enjoy the same level of confidence.
>>         Why would the universe/multiverse repositories be insecure?
>>         They're
>>         packages rebuilt from Debian just like those in main/restricted.
>>         --
>>         ubuntu-users mailing list
>>         ubuntu-users at
>>         <mailto:ubuntu-users at>
>>         Modify settings or unsubscribe at:
>     --
>     ubuntu-users mailing list
>     ubuntu-users at <mailto:ubuntu-users at>
>     Modify settings or unsubscribe at:

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the ubuntu-users mailing list