[FAQ] The dangers of using 3rd party repos

This is something I wrote last year and posted somewhere else. I thought it was worth sharing here as I see a lot of people using 3rd party repos.

There are often discussions about the dangers of using AUR but it seems like there a lot less focus is on the dangers of using 3rd party repos.

In general, using a 3rd party repo is much more dangerous than using AUR. With an AUR package, everything is fully transparent and the package is built on your machines. A quick look at the PKGBUILD file will show you if there is anything nefarious going on and some AUR helpers even let you view the diffs between version when updating so you only need to review what changed which is usually very little.

On the other hand, a package in a 3rd party repo can do almost anything and it is very hard to tell since it is all bundled up in a package. Even if they make the PKGBUILDs available, there is no guarantee that what is contained in the packages matches them. Basically, when installing a binary package, you need to have absolute trust and blind faith in the packager.

There are a few questions I would urge you to ask yourself before adding a 3rd party repo

• Do I trust all of the packagers who can build packages for the repo
• Do I understand the process for new packagers to get access to the repo
• Are the packages built in the repo signed by the key of the person who built them or is that process automated with a shared key

If you can’t answer yes to all of those questions, you should think twice before adding the repo.

For example, consider the commonly referenced herecura repo which contains some popular packages including Google Chrome:

• It is packaged by an Arch Trusted User(TU), if you don’t trust them, you can’t trust the Arch repos either
• It is all packaged by a single person
• All the packages are signed by the packager

Based on the above, I would argue that this a pretty safe repo to use.

But what about another repo? Do you know all the packagers? Do you have absolute trust in them? I hope so because you are basically giving them full access to your machine.

Some fallacies to be wary of:

• I have been using repo X for a long time and have never had a problem - Tomorrow could be the day a problem occurs. Maybe a new packager gets added and was not properly vetted. Maybe one of the packagers hits some financial difficulties. Etc, etc, etc.
• It isn’t a big deal because I only use it for [insert simple application here] - It doesn’t really matter what the package is or claims to be. It can have something extra or totally different inside it.
• How much damage could it really do? - Well, lets see. Here are some things a malicious packager could do:
  • Install a keylogger
  • Add keys to your keyring
  • Create, install and start/enable a service as any user
  • Basically, a package can do almost anything to your machine
• It isn’t any more dangerous than using a ppa on Ubuntu - Well, sure, that is also quite dangerous depending on the source. However, that doesn’t make it safe, it just means there is something else that also requires careful consideration.
• It takes too long to build from AUR - Potentially true, but be aware you are trading convenience for safety
• It is no more risky than installing from the AUR - Not really. The AUR provides a high degree of transparency since the PKGBUILDs and changelogs are fully visible. I would argue that as community driven sources go, the AUR is one of the safest as long as you vet the PKGBUILD.

In the end, I am not recommending you never use a 3rd party repo. However, I would urge you to be cautious, deliberate and to consider the risks involved.

Prefixed with [FAQ] so it would be easily searchable
That will be helpful!

This is an excellent summary.

It cannot be stressed enough how safe the AUR is, if the user is careful. Indeed, while anyone can upload anything to the AUR, including malware, if we are careful and inspect the PKGBUILD file, we can know exactly what goes into the package: specifically, where the software is sourced from, whether it is in source code, or as a binary, that it was not modified after being downloaded (by checking the sha-sum), and exactly what commands are invoked to build it and install it. Also, on AUR website, there are comments and a report mechanism for anything malicious or untrustworthy.

In a sense, this is even safer than the official Arch repos. But it requires some effort from the user to understand what’s going on.

This is one of the reasons I’m not a fan of Ubuntu based distros. Unless you use flatpaks or snaps, you often have to add repositories in order to get the software you want, which always makes me uncomfortable. With an Arch based distro, as long as you have an AUR helper, nearly anything you could want is readily available from generally trustworthy sources.

Excellent point. Part of my new distro setup ritual is installing Seamonkey browser, Veracrypt, and youtube-dl-gui. With an Ubuntu/Debian distro I have to install PPAs, download a .deb package from the web, or build them from a downloaded tarball. With Endeavor I searched for them in pamac and there they were! In fact, I have found everything I have ever searched for in the official repos and/or the AUR. Why do people think Arch is weird and hard? It’s actually very convenient to use.

Because it has moderately high barriers to entry, compared to more consumer-friendly distros.

Arch is very convenient, indeed, but only if you have the curiosity to know your own computer, the willingness to do some simple maintenance, and derive pleasure from customising it and tinkering with it. The install process is intentionally cumbersome and somewhat poorly documented (no hand holding there, however, the rest of the Arch Wiki is probably the most detailed Linux resource on the internet). This is probably in order to dissuade newbies from signing up on Arch forums and being annoying over there.

EndeavourOS solves the “difficult installation problem”, if you could call it that, while still being minimalist and very close to vanilla Arch.

I think using 3rd party type repositories in Arch-like distributions poses the same dangers as in Ubuntu.

Certainly, you should have the same thought process when evaluating 3rd party repos for other distros but I think there are some inherent differences

• We have the AUR, which is a safer alternative and contains almost any package someone could want.
• For the larger distros(debian/ubuntu/fedora/etc), software publishers/developers often have their own repos which target those distros. I would say those are reasonably safe to use. If you don’t trust the developer, you probably shouldn’t be using the software anyway.
• Even without the AUR, the Arch repos are pretty huge compared to some other distros. The need to add 3rd party repos is much less.

Additionally, I think many users on those platforms don’t consider or understand the real risk of what they are doing. Someone sees a howto guide or a post somewhere that states to install this software, add this repo/ppa and they blindly do it.

Should we always check when downloading from AUR? How often do packages contain compromised code?

That is up to you. I would recommend at least briefly reviewing the PKGBUILD before installing something new. I also review the PKGBUILD diffs before updating which many AUR helpers make easy to do.

In the AUR? Almost never. I only know of one incident in 2018 where someone adopted 3 orphaned packages and injected a systemd service into them. Because the AUR is transparent, it was quickly identified.

In a 3rd party repo, it would be much harder to catch something like that since seeing what it inside the binary package is much more difficult.

Absolutely true, but then again you have to be able to recognize compromised code…

That really is the users responsibility users that use Arch have to take responsibility for their actions, Because they might as well stay with Windows. to partly quote Steve Jobs “Linux is not Windows” its for responsible users that care for security

Exactly.
I always raise my eyebrows at those who say to never use the AUR, because quite frankly without the AUR at least half the reason to run Arch, at all, is gone. It’s like buying a station wagon and refusing to use the space in the back for no good reason.

Does this apply to flatpaks and electron type apps?

Flathub, at least, is supposedly well curated.

In most cases, this is surprisingly easy to do and doesn’t require any special skills. There are a couple of good posts already on this site about how to do that so I won’t repeat it here but there are really only a few things you need to look at.

Even if you don’t check them yourself, the fact that they are public and transparent means that others can.

In reality, you should take responsibility for your actions no matter which OS you use. The only OS that I can think of that actually provides a reasonable amount of security protection to it’s users is iOS and it makes some major compromises to do it. Even then, it doesn’t make you invulnerable and you still need to make good decisions if you want to be secure.

Yes, a flatpak is just a different way of packaging and running applications. The same holds true, you need to be able to understand and trust the source. Before you add a new flatpak remote you need to make sure you trust it.

Electron is something different altogether. However, it doesn’t really have any bearing on this conversation one way or the other. An application built with/in electron is still an application. It can still contain malicious code just like any other application.

Honestly @dalto this should be pinned.
With so many bad actors out there these days, this is more relevant today than it was when you wrote it. You gave all the reasons why I only rely on the AUR. I read the PKGBUILD files, even though I don’t fully understand what it is doing, if only to try and learn how they go together. One day I will build my own If it can’t be pinned, please update it as a new post and maybe the management will see it’s importance today.