security of the universe repository

Tom H tomh0665 at gmail.com
Thu Dec 20 09:05:16 UTC 2012 

On Tue, Dec 18, 2012 at 9:01 AM, Amichai Rotman <amichai at iglu.org.il> wrote:
> On Tue, Dec 18, 2012 at 2:45 PM, Tom H <tomh0665 at gmail.com> wrote:
>> On Tue, Dec 18, 2012 at 12:57 AM, Chandra Amarasingham
>> <camarasingham at yahoo.com> wrote:
>>>
>>> I am wondering if there is an "official" word on the security of the
>>> universe repository compared to the Main repository. By security I mean
>>> free from malicious code.
>>>
>>> I don't think there are anti-virus programs in the Main repository, but
>>> I think clam anti-virus is in the universe repository.....but that means
>>> I am not able to be confident that the clam anti-virus itself does have
>>> malicious aspects (eg. from other sources...).
>>>
>>> I thought it would be nice to have some scanning software in the main
>>> repository which can be used to scan software from other repositories
>>> which don't enjoy the same level of confidence.
>>
>> Why would the universe/multiverse repositories be insecure? They're
>> packages rebuilt from Debian just like those in main/restricted.
>
> I think the OP is referring to the fact the Universe / Multiverse
> repositories are not supported directly by Canonical, but by the community.
> So the OP, being a long time Windows user, I guess, assumes it is
> potentially open to malicious code...
>
> The fact that the  Universe / Multiverse repositories are not supported by
> Canonical just means you have to seek the community's help and support for
> the applications you installed from them, and not contact Canonical.

Claiming that the Universe/Multiverse repositories are insecure
because they're run by volunteers is like claiming that Arch, Debian,
Gentoo, etc, are insecure because their repositories are completely
run by volunteers! The sources from which the various packages are
built are also created by volunteers; should we distrust them too?!

Regarding your last para, I'd be surprised if someone who had a
Canonical support contract and installed nagios or netatalk (for
example) from "universe" would be told "this is unsupported." AFAIK,
security support for "universe/multiverse" is cut off faster than for
"main/restricted" but google can't help me find any confirmation of
that so I might be misremembering.

More information about the ubuntu-users mailing list