Can I trust repositories

Question

How can I trust any Repositories like

sudo add-apt-repository ppa:upubuntu-com/tor

or

sudo add-apt-repository ppa:wagungs/Kali-linux

GPG keys are a method of [public key cryptography](https://en.wikipedia.org/wiki/Public-key_cryptography), and are safe enough to confirm that you did indeed download the package from where you were supposed to. Whether to trust that source or not cannot be verified by a key check (except probably keys which are universally established (eg `Ubuntu` package signing keys)). — xyz, Aug 05 '14 at 14:37

score 7 · Accepted Answer · answered Aug 05 '14 at 14:29

7

You can trust them as much as you trust the people who put them up. Anyone can put up a PPA; a repository owned by some random user is obviously less trustworthy than the official LibreOffice PPA, for example.

answered Aug 05 '14 at 14:29

evilsoup

4,435
1
19
26

score 2 · Answer 2 · answered Aug 05 '14 at 14:19

2

Good question. The short answer is: you can't trust them.

answered Aug 05 '14 at 14:19

It's a layman's answer and doesn't consider the private repository set up locally for an organisation. Nuking everything isn't the solution. – Tarun Maganti Feb 25 '20 at 05:54

Can I trust repositories

2 Answers2