How to determine if an application is safe for use on Ubuntu
I’m very new to making Ubuntu my daily driver OS. My question is how do I determine if an application is downloaded from a reputable source using apt commands? I’m not sure where to find information on packages and how to verify the authors of said packages. The package I’ve already installed uses an API to one drive and is recognized by one drive as an unverified publisher (EDIT: I went back and discovered Onedrive by abraunegg is verified). That being said many people have spoken highly of this application that was installed by the apt command without adding additional repositories to search within.
So far I had a friend mention to me that out of the box apt repositories are curated fairly well. I just shouldn’t add more repositories for apt to search from if I want to maintain a completely safe environment. Thanks for any information this community can provide me and sorry for asking such a question I just wasn’t sure who to turn too for more information.
Your friend is right. As long as you install official applications from the official repositories that came with the operating system, you are almost guaranteed to be downloading safe and legit software. Don’t go around adding random repositories without good reason, and do research on such repositories before adding them.
Let’s work upstream to see where this software comes from.
First, let’s ask apt for some basic information:
$ apt show onedrive
Package: onedrive
...
Section: universe/net
...
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Original-Maintainer: Sebastien Badia <sbadia@debian.org>
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
...
Homepage: https://github.com/abraunegg/onedrive
...
Description: folder synchronization with OneDrive
OneDrive is the cloud storage system of Microsoft. This package provides
the command line client specialising in synchronizing with OneDrive cloud
storage.
Next, let’s check the reported bugs for the Ubuntu package: https://bugs.launchpad.net/ubuntu/+source/onedrive
-
Result: Only two reported bugs, neither of which seems a security concern.
Now let’s go upstream to Debian: https://tracker.debian.org/pkg/onedrive
-
Result: Lots of maintainer action. New uploads, testing, backports. No serious actions needed. These are all good signs.
And let’s look at Debian’s list of bugs: https://bugs.debian.org/cgi-bin/pkgreport.cgi?dist=unstable;package=onedrive
-
Result. Few bugs reported, none seem a security concern.
Finally, let’s go upstream and look at the source project on GitHub: https://github.com/abraunegg/onedrive
-
Result: Active project, many contributors, new work being added, 16 reported "issues" (feature requests and bugs) that look fairly typical.
So the upshot is that this software comes from a seemingly healthy upstream project, is actively maintained at Debian, and has (apparently) no security-related bugs reported at any level.
It’s as safe as you can get for almost any software, short of doing a manual code audit or writing it yourself. But you can check the provenance this way is because it is Open Source software.
Disclaimer: I am the developer of the ‘onedrive’ application.
The package I’ve already installed uses an API to one drive and is recognized by one drive as an unverified publisher.
The application is actually verified!
For further details, please read: https://github.com/abraunegg/onedrive/blob/master/docs/application-security.md