Are the programs in Ubuntu Software Center spyware free?

Is there a process to ensure there's no malware? No. There are no guarantees at all.

There are, however, several mechanisms to try and detect it but while I don't want to get too doom-and-gloom, if we're honest, you're probably not as safe as you'd like to be.

  1. A project first has to get added to Ubuntu. As Rinzwind says, checks are made at this stage but that's really only the tip of the iceberg that is the life of a package in Ubuntu.

  2. The first real line of defence for long term packages are their project maintainers. These people look after their projects and accept patches to improve them. They are human. They make mistakes and miss things. And some might be lazy.

    It is possible that a bad person could sneak some malware past them by including genuine improvements along with the malware.

    If something bad is admitted into a project by its maintainer, save a successful audit, chances are that code will end up on Ubuntu users' machines.

  3. Security audits are the second step. This is examining the code and running it against monitors to detect bad things. As far as I know, there isn't an official Canonical team dedicated to security but there are two community teams (Ubuntu Security and MOTU SWAT) that handle all the packages between them.

    Auditing only really works if every line of code is checked properly before it goes out to users. This isn't really practical for the amount of code and number of updates we're talking about. It would take a huge amount of time and money to do it this way.

    There is an assumption in the open source world that just because somebody can view the source, they have. This is a very dangerous ethos to maintain.

    Security fixes are largely reactionary to people finding and disclosing holes. What happens if somebody discloses a hole they find?

  4. Other "end users" reporting problems is the final real detection mechanism and let's be honest, good malware won't let the user know there's a problem until it's far too late to make a difference. Well written malware isn't going to flip your screen or steal all your bandwidth, it's going to sit there in the background, logging all your banking details before it posts them all off to some anonymous dump somewhere.

The whole process depends on upstream projects to maintain their own security levels. If somebody slipped something past the maintainer of the Gnome calculator, chances are it's going to get missed by everybody else down the line. A security-team will never suspect it either.

Thankfully most maintainers are good at what they do. They know their codebase and if they don't understand patches, they'll reject them on the basis that they're not clear enough.

In terms of risk assessment, by using something that is a lot less popular, there are likely fewer eyes checking the code. But similarly there are probably fewer commits, so as long as the maintainer isn't lazy (or evil), they might have more time to deal with each commit. It's hard to say exactly how much risk you're at. Open source software's security depends on capable people looking at the code.

Conversely the closed source items (in the partner and purchase repos) are completely unaudited by the community. Canonical may have some source access, but frankly I doubt they have the resources to give things thorough audits even if they had source access and wanted to.

Similarly with PPAs, you get very little protection unless you want to dive into the source yourself. Users can add whatever they like to the source code and unless you're going to check it out yourself (and you're capable of detecting malware), you're a sheep surrounded by wolves. People can report bad PPAs but something happening depends on other people checking and confirming the problem. If a big site (eg OMGUbuntu) recommended a PPA (as they often do), lots of users may have issues down the line.

To compound the problem, the lower market share of Linux user means there's just less software available for us hunt down bad code. I hate to say it but at least with Windows, you have dozens of companies spending every working day, finding out how bad software works, how to detect it and how to remove it. That was a market born from necessity and while I hate to say this too, things are probably going to get worse here before they get better.

For the security paranoids, I wrote a short article a while ago: Linux isn't invulnerable. Don't say it is.. Sneaking things into the repository probably isn't going to be the primary attack vector for the asshats that distribute malware. It's far more likely (IMO) that they'll play on the greed and stupidity of users to get them to install infected .debs.


Yes. Packages are checked by the community (so 1 might install some malware but that news will spread quickly amongst all users).

Apps need to abide to very strict rules outlined in licensing.

The wiki page for new packages has a bit more information:

Going through MOTU

Packages which are not in Ubuntu yet, require extra scrutiny and go through a special review process, before they get uploaded and get a final review by the archive admins. More information on the review process, including the criteria which will be applied, can be found on the Code Reviewers page. Developers are encouraged to examine their own packages using these guidelines prior to submitting them for review.

To receive higher quality bug reports write an apport hook for your package.

That said: the general idea is. If you find something suspicious you report it on launchpad, askubuntu, ubuntuforums and someone will pick it up.

What could happen is that a creator of malware makes a valid package, gets it accepted and then makes an update that adds the malware. At least one of the many many always catches this and he/she will report this somewhere. It is not going to get onto lots of machines this way. (the effort of getting it onto our machines is too much for the potential reward: targeting windows machines is much easier).

Example of things going terribly wrong with bumblebee. Someone missed a space and /usr got deleted... some people got affected, 1 posts a warning with red flags and now we all know. Creator fixes it (faster then the speed of light) but the damage was done to several systems. And this was a mistake and not deliberate so it can happen ;)


I assume that nobody can assure you that. You would have to check what has to happen for a package to be added to the Debian package index, but I think that you should be able to slip something evil into there.

You can set up a virtual machine and try the software there, you can then look over the network traffic with something like iftop to see whether this applications talks to home. Chances are that you will never see anything because it is hidden too well.

Open Source does not mean security, just because you can look at the code does not mean that somebody did.