Ubuntu Makes ‘Significant’ Security Change to PPAs for 23.10

The way PPAs are managed is changing in Ubuntu 23.10.

A new version of the software-properties package is rolling out to Mantic Minotaur daily builds. The update makes brings a “significant change” to the way personal package archives (better known as PPAs) are managed on Ubuntu systems.

What’s changing?

Well, in current versions of Ubuntu when you add a PPA (via the command line — you can add them via Software & Updates but I’m not sure how key handling works there) a .list file for the PPA is created in /etc/apt/sources.list.d/, and the corresponding gpg keyring placed at /etc/apt/trusted.gpg.d.

From 23.10 onwards, PPAs will be added as deb822-formatted .sources files, which have their corresponding gpg keys “directly embedded into the file’s Signed-Byfield”, according to Ubuntu devs.

They say this change offers a number of benefits:

• Removing a PPA will now removes its associated key
• Keys are unique to a PPA and cannot be used for other repositories
• Other keys cannot be used to sign a PPA

Or, for the tl;dr: it’s safer and simpler, innit.

Devs say they “these enhancements will enhance the security and reliability of managing PPAs” on Ubuntu. Now, I’m not a repo expert by any stretch, much less a security expert, but from the sounds of things that’s exactly what this change will do.

Despite their comparative convenience PPAs aren’t actually considered all that safe. Downsides including PPAs having root access to your system.

In theory, you could add a PPA to install foo, and it works wells. A few days later the maintainer of the PPA uploads a totally different, and malicious app, named foo and it gets installed on your system alongside your other software updates and… Well, who knows!

Thankfully, as far as I am aware, nothing like this has ever happened (though plenty of inadvertent system screws-up caused by PPA maintainers later adding updated/unstable versions of core system packages has).

Anyway – the new approach Ubuntu devs outline today can’t wave away all of those vectors, but it has to be said that improving security and emphasising trust between the user adding a PPA and the person maintaining the PPA is certainly a welcome step.

Personally, I look forward to no longer needing to delete a ton of .list files for PPAs I no longer use.

More details in the Ubuntu Developer mailing list announcement, and be sure to let me know your thoughts on PPAs (either regarding this change or just in general) down in the comments.