malicious ppa

We mostly try not to get involved in what people do with their PPAs. They may often not be ideally-structured, but that's up to their owners to sort out; we don't generally have the time or (often) the expertise to actively moderate them. (I'm also aware of Rob Savoury's desire to move to a subscription access model for the work he's doing; in fairness, part of that is waiting on action from us.)

We would take an interest in active malice, though. Could you please point to the actual code that deliberately breaks people's systems? That's a serious allegation, but I couldn't find anything like that from a quick glance through the PPA you referred to.

The codes themselves are not malicious but if you set up your ppa in such a way that a routine upgrade will remove half of your system that is malicious behavior (say you click "yes" when the software center popup invites you to update or if you just hit "yes" with sudo apt upgrade before you realized it was too late)

I emailed the maintainer thinking that it might be a packaging error but his reply was that he needed to make a buck so from now on only paid subscribers can get updates. so It was by design.

Like I said don't have a problem with he closing down his ppa and setting up a new one for paid users only, but if trying to remove what you have already installed through "upgrade" is not malicious I don't know what is.

That's the sort of thing that easily results from dependency tangles, though, and my understanding was that package managers generally present you with lists of packages that are going to be removed so that you have the opportunity to confirm it. I'm asking whether you can point to something obviously deliberately designed to cause trouble (like a Conflicts on a base OS package or something) or whether it's more like a bug that the PPA owner is refusing to fix.

Perhaps if you could share the specifics of the bug report that you sent to the maintainer then that would be helpful.

Just to be clear I am not saying he planted malicious codes. What I think happens is that he has some key dependencies stored in some hidden repo that only paid users have access, so if some unsuspecting users who have added the free ppas before they went paid only go ahead with an update the unmet dependencies will trigger a removal. However since some of the components of these ppas are also key for the system it will render a completely broken system.

As I said I have emailed him asking him to take down the ppas so that users won't accidentally wipe out their system (I am always careful about updates and I have disabled his ffmpeg 6 ppa prior to that, I just reactivated it to check if there is any update for curiosity so I was not harmed, nothing personal) But his reply indicated he knew what would happen, that I think is wrong,

I think these repo should be taken down for safety reason, whether there is malicious code is irrelevant, it is just dangerous for unknowing users to add them. There are quite a few online tutorials telling people to get the latest ffmeg or what not from these repos (before they went subscriber only, which just happened this month apparantly), If inexperienced users just cut and paste the commands they are going to be in great pain, the result is almost like running sudo rm -r /*

I'd still really appreciate _specifics_ here: do you have a transcript of the buggy upgrade process? Please?

It seems that synaptic and command line upgrade behave differently. In synaptic half of the system will be removed but apt -s upgrade only shows that the packages are held back.

I will not go ahead to test it out obviously.

In order to test things you could spin up a Docker or lxd container.

We are waiting for more information from the OP

Hello, chiming in here due being the owner of the PPAs in question. This person wrote me repeated abusive and hostile emails due not liking the fact that they could no longer access certain upgrades at my PPAs since a switch to "subscriber" with a new private PPA (they are one of many people who wrote such abusive emails to me, sadly). Their statements that I was abusive and rude are simply false. What I did write to them were some bluntly honest words attempting to reflect to them that they were being abusive in their demands that I do this or that based on their personal preferences. These are _my_ PPAs after all!

The behaviour of this person is what has no place in any community, Ubuntu or otherwise. They have behaved in a completely "entitled" manner, as if I am somehow providing some kind of public service paid for by tax dollars or something. Rather than writing to me with respect and appreciation for the thousands of hours of my life that I've put into all the many PPAs that I kindly offer to the Ubuntu community. Almost all of which are still fully freely available to all. It is only a few popular audio/video (ie. FFmpeg 5/6) and graphics software (ie. Blender) packages that are now available to "subscribers" only.

It seems that my ppa:savoury/ffmpeg4 has become something of the "default" FFmpeg repo on the Internet in recent years, recommended by all kinds of tech blogs and articles. Yet, the writers of said blogs and articles failed to ever actually be respectful enough to even mention me by name in their articles, or to point people directly to my own words and information at my Launchpad site (even with publicly posted requests by me to do so, ie. a pinned post on my Twitter account for many months). Unfortunately, that results in people not being aware of changes at my ppa:savoury1/ffmpeg4 repo, such as this change to "subscriber" for certain latest builds that happened on 23 March 2023.

For the record, there was absolutely no malicious intent on my part at any point in any of this process. Again, the claims by this abusive person are simply false and based on no factual evidence whatsoever. If APT package management prompts a user to remove packages that were installed from my PPAs (not Ubuntu system packages from official repos), then it is up to the individual user to look at those prompts carefully before proceeding. FFmpeg is _not_ critical system software, and removal of it _cannot_ (to my knowledge at least) result in a non-functional system if it is removed (ie. bootup, display, networking, etc, are not at all affected by FFmpeg being installed or not).

APT package management is not perfect, a fact that I'm sure any long-time Ubuntu user knows. For instance, when one new dependency now in the private PPA is not available then why does APT prompt to remove all FFmpeg dependent packages, rather than simply placing a "hold" on current versions due not being able to access a single new dependency? This question is of course off topic from this false complaint, but rather more about the overall algorithms programmed into APT by the Debian (and Ubuntu) developers.

Once again and for the public record, there was _never_ any malicious intent on my part with the recent changes to a "subscriber" model for FFmpeg. It was a change based on the fact that my work at many PPAs since August 2019 was being used by huge numbers of people, including many commercial for-profit enterprises, with almost none ever even reading my own words. Including words stating that more donations are required to support the continuation of the project, which have been publicly on my main Launchpad page and also all my popular PPAs for at least a year (or even two years in some cases).

The work on my Launchpad PPAs has in fact been my main "day job" for years now, so it only seems fair that more people using such popular software as FFmpeg actually support the project via donation. In any case, due the many complaints directed at me since the 23rd March change I have now uploaded completely "generic" builds of FFmpeg 4.4.3 to ppa:savoury1/ffmpeg4 (without all the "bells and whistles") that will allow anyone who has not donated to continue using that PPA without any issue. Thus, any possible APT upgrade/removal issues are now completely remediated for ppa:savoury1/ffmpeg4 specifically.

Several other PPAs of mine are now usable only by "subscribers" who I choose to allow to access the new private PPA. Such software includes FFmpeg 5/6 as mentioned above, as well as HandBrake, mpv, VLC, and Blender. Again, none of which have _any_ impact on critical system stability or functionality if they happen to be removed due an APT related process for someone who has not supported my work. There are clear notices posted on each of the PPAs in question requiring "subscriber" access that they now require the new private PPA.

It is up to each and every user to take responsibility for their own system, and to make sure they read the words by any PPA maintainer such as myself. The hostile attitude of blame directed at me by not just this user but many such users of my work is completely and utterly unreasonable. Gratitude for all the effort I've put in, that so many have now been benefiting from for years, would be more appropriate than these abusive and false accusations.

This is a long reply, but all relevant words in response to this false and malicious attack on my character. An attack by someone who is essentially making hostile complaints about the fact that they can no longer get all the best "good stuff" for free from me, as they no doubt did for years. It really is quite sad that such people with such "entitled" disposition feel free to abuse those of us who put in thousands of hours to the free and open source software movement.

Again, it is up to each and every user of Ubuntu PPAs to do "due diligence" and take on personal responsibility for their own system(s), making sure that they read the words by the person(s) maintaining any particular PPA(s). Why anyone would simply install a PPA to their system, based on some tech blog link saying "add ppa:savoury1/ffmpeg4 it's great", but without actually reading the words of the PPA maintainer carefully is beyond me! Such lack of personal responsibility is the core to this entire situation, as an article I recently posted on my Medium account (linked from my main Launchpad page) goes into some depth discussing.

Sincerely,
Rob Savoury

So I'd like to chime in with a statement of support for this report.

Last night, I was distracted missed Rob's subtle, *single-line*, plain text, "clear notice" in the description block for the VLC ppa:, and my laptop's Mint install fell apart.

So I literally just spent 4 hours repairing the LTS install on my primary system because I realized that the errors that have been keeping apt from updating for the last few weeks were caused by the same issue that took out my laptop.

Despite his insistence that his PPAs only contain 'non critical system software' this recent change *does* have the potential to *massively* break a system.

The underlying issue is that over the interim period, Rob has added the backports for multiple other rather important packages to his application PPAs for compatibility reasons, and has been updating them to newer versions.

So users on LTS releases like myself can be stuck with a series of broken package dependencies that cannot be quickly, safely, or automatically resolved because the local version is newer than the official repositories.
And some of us have stupid/distracted moments and hit Y.

In my case I was installing new IP cameras, so I needed a newer version of VLC.
A quick google search for VLC backports brought up Rob's vlc3 repo.
> https://launchpad.net/~savoury1/+archive/ubuntu/vlc3

Since I was already using his other repositories without issue for almost 2 years, I went ahead and added this one to two systems without carefully reading the entire page.

The result was a ton of packages being in an inconsistent state, anything relying on gstreamer being uninstalled, (including libreoffice for some reason) and even parts of the mate desktop environment being broken enough to disable one of my monitors on both machines when logged in.... (That screen is inverted and using a displaylink dock, so there's a few dependencies that need to be present.)

It even resulted in the ubuntu-system-adjustments package's systemd unit file being masked on my desktop somehow, which causes 'dpkg --configure' to fail... so apt, synaptic, and aptitude were unable to run (easy fix, but only because I already knew what 'masked' meant).

So I ended up reinstalling the OS on my laptop and using aptitude on my desktop to manually select the 'official repo' versions for the packages that had been updated by the affected PPAs.
 (and since trust was violated, I went ahead and rolled back 100% of the backports and removed the PPAs completely.)

While doing this, I figured out that the chain of events was that the Savoury PPA's change caused Pipewire to be removed, which triggered chain that broke a couple of other packages and resulted in a HUGE number of packages to be removed. (even *network manager* broke...)

I don't have time to test this yet, but these steps should work If you want to try and replicate this:

1) install a new LTS system (bonus: use linux mint. It breaks even more dramatically... I just reinstalled the os on my laptop though.)
2) enable the savoury1/backports PPA
3) follow the directions on the savoury1/vlc3 PPA to install "_all_ latest dependencies" and VLC
4) Reboot.
5) Attempt to remove the PPA

I use many PPAs from Rob and don't have problems. Sometimes i had to add Packages from deb-multimedia, that's all. Sure, when i use PPAs, i know, it's not official and i have to deal with possible problems and dependencies.

I suggest: Only use PPAs, when you are an advanced user and when you are able too look at the output from for example apt full-upgrade before you decide zo confirm or chancel it.