Join Log in
Score:-2
allidoiswin avatar Ubuntu

Is git-lfs package on apt actually secure? How would a consumer know?

br flag
allidoiswin

git-lfs docs only suggest to use packagecloud, but there's a base apt package now, as referenced by https://askubuntu.com/a/1418540/431220.

The question is: how can I as a consumer know if this apt package is safe to use, instead of relying on the packagecloud solution, which is frankly (to me) 10x worse, since I do not want to be dealing with manual package management.

36
2 + 1
apt
muru avatar
us flag
muru
The question is not answerable unless you define what makes something "safe" for you. What will it take for _any_ package to be safe?
2
Reply
Score:2
user535733 avatar Ubuntu
cn flag
user535733

The packaging system has a lot of transparency so you can learn how to check these little details for yourself.

Working backwards:

Each package in the Ubuntu repositories is cryptographically signed, and that signature is routinely checked by apt to prevent man-in-the-middle attacks.

The package in the Ubuntu repositories comes from an upstream Debian source package. (See apt show git-lfs)

The Debian package is maintained by a team, and has been uploaded by the same person for years. (See https://tracker.debian.org/pkg/git-lfs)

So it's really a question of whether you trust that one volunteer who has been (thanklessly) maintaining that same package for many years. It's the same question you had before: Did you trust the developers of the software?

To go truly deep, you can audit the code at any step from the developers to Debian to Ubuntu (it's open source). How deep you want to go is up to you. The transparency in both code and process is there.

+ 0
Score:1
guiverc avatar Ubuntu
cn flag
guiverc

Did you look?

Your question to me is somewhat clear; and you didn't provide a release (thus I've used my own), but looking at the package details can provide some level of security

https://packages.ubuntu.com/mantic/git-lfs

That page along gives me great details, including Original Maintainers are more (beyond just MOTUs)

It tells me it's a community supported package (thus being found in universe), providing links to the changelog which actually confirm details from the first page I provided (ie. maintained mostly by Debian)

How far in this exploration I'd go will depend on how secure I want to be, which maybe exploring in upstream Debian sid, then to its' source, looking at past changes & how regular they are especially post-changes occurring further upstream etc. etc.

How secure something is is very subjective though, and how far I'll go will depend nervous I am, and how much security matters for my intended usage.

+ 3
guiverc avatar
cn flag
guiverc
You didn't provide release details; if you provided that detail I'd have chosen another release, and there are many ways of looking at this detail too (*including from terminal without clicking links on a browser that I mention above as it's easier for readers on sites such as this*)
0
Reply
guiverc avatar
cn flag
guiverc
For my own assessments, I'm aware of Ubuntu *development* (inc. *freeze* cycles) given they're extremely easy to predict (esp. *given 3rd Thursday of month of April & October release dates and only minor changes from that if required*), but if I look at Debian where there aren't defined dates (esp. *freezes in that it's decided 'by consensus' with details on ML threads*) its still available online thus freezes can be somewhat known, which explain differences in when packages get uploaded/changed esp. from further upstream of Debian with somewhat clear 'comfort' - this research gives 'comfort'
0
Reply
allidoiswin avatar
br flag
allidoiswin
Nice, the "tells me it's a community supported package" is pretty much 90% the answer, but the rest of the answer was great as well. The question was asked at a level where I didn't know how to understand package details, and you helped clarify how to interpret them. Thanks!
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.