This is something I wrote last year and posted somewhere else. I thought it was worth sharing here as I see a lot of people using 3rd party repos.
There are often discussions about the dangers of using AUR but it seems like there a lot less focus is on the dangers of using 3rd party repos.
In general, using a 3rd party repo is much more dangerous than using AUR. With an AUR package, everything is fully transparent and the package is built on your machines. A quick look at the PKGBUILD file will show you if there is anything nefarious going on and some AUR helpers even let you view the diffs between version when updating so you only need to review what changed which is usually very little.
On the other hand, a package in a 3rd party repo can do almost anything and it is very hard to tell since it is all bundled up in a package. Even if they make the PKGBUILDs available, there is no guarantee that what is contained in the packages matches them. Basically, when installing a binary package, you need to have absolute trust and blind faith in the packager.
There are a few questions I would urge you to ask yourself before adding a 3rd party repo
- Do I trust all of the packagers who can build packages for the repo
- Do I understand the process for new packagers to get access to the repo
- Are the packages built in the repo signed by the key of the person who built them or is that process automated with a shared key
If you can’t answer yes to all of those questions, you should think twice before adding the repo.
For example, consider the commonly referenced herecura repo which contains some popular packages including Google Chrome:
- It is packaged by an Arch Trusted User(TU), if you don’t trust them, you can’t trust the Arch repos either
- It is all packaged by a single person
- All the packages are signed by the packager
Based on the above, I would argue that this a pretty safe repo to use.
But what about another repo? Do you know all the packagers? Do you have absolute trust in them? I hope so because you are basically giving them full access to your machine.
Some fallacies to be wary of:
- I have been using repo X for a long time and have never had a problem - Tomorrow could be the day a problem occurs. Maybe a new packager gets added and was not properly vetted. Maybe one of the packagers hits some financial difficulties. Etc, etc, etc.
- It isn’t a big deal because I only use it for [insert simple application here] - It doesn’t really matter what the package is or claims to be. It can have something extra or totally different inside it.
How much damage could it really do? - Well, lets see. Here are some things a malicious packager could do:
- Install a keylogger
- Add keys to your keyring
- Create, install and start/enable a service as any user
- Basically, a package can do almost anything to your machine
- It isn’t any more dangerous than using a ppa on Ubuntu - Well, sure, that is also quite dangerous depending on the source. However, that doesn’t make it safe, it just means there is something else that also requires careful consideration.
- It takes too long to build from AUR - Potentially true, but be aware you are trading convenience for safety
- It is no more risky than installing from the AUR - Not really. The AUR provides a high degree of transparency since the PKGBUILDs and changelogs are fully visible. I would argue that as community driven sources go, the AUR is one of the safest as long as you vet the PKGBUILD.
In the end, I am not recommending you never use a 3rd party repo. However, I would urge you to be cautious, deliberate and to consider the risks involved.