Changes Coming to Ubuntu PPA Usage » Linux Magazine


With the upcoming Ubuntu 23.10 (Mantic Minotaur), there will be a considerable change to how PPAs are handled. As you may know, in the current iteration of the software-properties software, when you add PPA from the command line, a .list file is created in /etc/apt/sources.list.d/, and the associated GPG key is added to /etc/apt/trusted.gpg.d/.

When 23.10 is released, those PPAs will use the deb822 format for .source files and their corresponding GPG keys will be added directly to the file in a Signed-By field. This means users won’t have to manage a collection of .list files.

According to the developers, this change offers one very important benefit: When a PPA is removed from a system, the GPG key will be automatically removed as well. As well, keys will now be unique to a PPA and cannot be used for other repositories. As well, other keys cannot be used to sign a PPA. These benefits will go a long way to enhance the security of PPAs. Another benefit of the new system is that users won’t have to worry about deleting .list files that can accumulate on a system.

Of course, there’s always a downside, the biggest of which is that PPAs will have root access to a system. Because of this, a program maintainer could add malicious code to a repository, and the next time you upgrade, that malicious code would be installed and have unfettered access to your machine.

Read the announcement from the ubuntu-devel mailing list.


Source link