How to use a PPA in Linux to install applications safely


Jian Fan/Getty Images

When you install applications on any Ubuntu-based distribution, the apt package manager is utilized — whether you use the command line or a GUI tool. The apt package manager connects with Personal Package Archives (PPAs) to locate the package you wish to install. 

What are PPAs?

Essentially, PPAs allow developers to create repositories to house software users can install. Think of PPAs in a similar vein to Apple’s App Store or the Google Play Store — a remote location that stores a wealth of applications you can easily install. As long as the app you want to install is housed in the repository, you can always install it.

Also: Ubuntu 24.10 Oracular Oriole takes flight – with a blend of innovation and nostalgia

But Ubuntu/Debian repositories have a trick up their sleeve that MacOS doesn’t by way of PPAs. 

The Ubuntu Software & Update tool.

The Ubuntu Software & Updates tool is one you should not overlook.

Jack Wallen/ZDNET

Remember, that first “P” in PPA stands for Personal, meaning anyone can host a repository housing Linux software. 

Also: I’ve used Linux for 30 years. Here are 5 reasons why I’ll never switch to Windows or MacOS

However, before we get into that process, let’s talk about the official Ubuntu repositories, of which there are four:

  • Main – Canonical-supported free and open-source software repository
  • Universe – Community-maintained free and open-source software repository
  • Restricted – A repository that houses proprietary drivers
  • Multiverse – A repository that houses software that is restricted by copyright

Those four repositories can easily be enabled or disabled within the Software & Updates tool. All four are enabled out of the box, so you can install software from repositories that store many applications.

Also: The rocky road to upgrading Ubuntu Linux 24.04

But unlike what The Sundays sang, here’s where the story begins.

There are two types of PPAs, official and unofficial. The four repositories stated above are official and you can expect them to be enabled on most Debian/Ubuntu-based distributions. When you venture into the realm of unofficial PPAs, you have to do more work to get them added to your distribution.

How are PPAs configured?

PPAs are configured in a text file in /etc/apt/sources.list.d. The file is named Ubuntu sources and an entry will look similar to this:

Types: deb
URIs: http://security.ubuntu.com/ubuntu/
Suites: oracular-security
Components: main restricted universe multiverse
Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg

The above configuration instructs apt where the repository is housed, what version it applies to, what it contains, and the GPG signing key. 

Also: 10 things I always do after installing Linux – and why you should too

If you don’t have a PPA configured in /etc/apt/sources.list.d and you go to install an application that’s not found in one of the four main repositories, you’ll receive an error like this:

Unable to locate the package

That’s simply because apt doesn’t know where the package is stored, so you must add a PPA to your system.

Also: Need to manage Linux passwords on the command line? No GUI, no problem!

I would not recommend adding details for third-party PPAs in that file; instead, they should be added to their own files within the /etc/apt/sources.list.d directory. The good news is that you don’t have to manually configure the PPAs because apt has a built-in tool for that very thing.

Let’s say, for instance, you want to install the Shutter app (a screenshot tool). To do that, you must first add the required PPA. Instead of creating a new source file, you can use the add-apt-repository command like so:

sudo add-apt-repository ppa:shutter/ppa

Next, update apt, so it’s aware of the new addition with:

Finally, install the app with:

sudo apt-get install shutter -y

I prefer to use the above method (over the manual option) because it automatically installs the necessary GPG key (so there are fewer steps).

The caveats to PPAs

The problem with this whole shebang is that there is no list of available PPAs. You can’t go to a site like ubuntuppalist.org, look through the available PPAs, and add them. This site should exist, but I’ve yet to find it.

Also: The first 5 Linux commands every new user should learn

Because of this issue, you’ll have to do some research. For example, say you want to install Shutter on your desktop. You first look for it in the Software app. If you don’t find it there, you might open a terminal window and issue the command:

sudo apt-get install shutter -y

Unfortunately, you’ll wind up seeing the Unable to locate package error, which might lead you to Google (or, in my case DuckDuckGo) how to install the app. When you search how to install Shutter, you’ll find that it’s housed in a non-official repository (ppa:shutter/ppa) that has to be added before the software can be installed.

The second problem is a bit more important to understand.

The software found in the four official Ubuntu repositories can all be trusted because it has been vetted by Canonical. On the other hand, third-party PPAs have not been vetted by Canonical, which means you’re on your own. Over the past year, more and more malicious packages have been found in third-party repositories, so it’s a crap shoot if the one you need is safe. 

This note isn’t meant to frighten you from using PPAs in Linux but to ensure you use them wisely. When I have to install software from a third-party PPA, I search to see if the PPA is legit and can be trusted. Is the source available? Has the developer (or team) ever been found to upload malicious software? If so, you certainly wouldn’t want to install any software found on that PPA. 

I recommend that new Linux users avoid working with third-party PPAs and stick with the official ones. Once you know how this approach works, you could venture into other PPAs. Even then, always vet a PPA before adding it.

Also: How to use the Linux history command – and what it can do for you

However, after using Linux for nearly 30 years, I’ve yet to install malicious software from a third-party source. That doesn’t mean you should trust all sources by default. As long as you use caution and do a bit of research before adding a third-party PPA, you should be okay.





Source link