I’ll be the first to admit that I still have a lot to learn, but isn’t it kind of dangerous to rely on repositories with software that is often months out of date? I understand that security is a moving target, but I see so many people saying that getting apps from the official repositories is the safest option. This just seems incorrect to me. Can someone please illuminate?
It depends on the repository. The big distro repositories will have security patches as part of maintenance even if they don’t pull the latest updates. Newer code can also add vulnerabilities in addition to fixing them. There are also rolling release distros that keep up to date.
Forgive me for being dense, but how can they have a security patch without the latest update? I’m speaking specifically of Linux Mint and the repositories that are used after a fresh install, here. In my experience (which may differ from yours), I’ve never had to regress to an earlier version of software due to the latest version having some kind of vulnerability. It’s just not something I’ve ever had to do, although I’m not ruling out the possibility that others have experienced this.
In order to maintain software versions, package maintainers will often selectively pull git commits from the upstream projects that fix bugs / vulnerabilities in the code, while not pulling feature commits. Sometimes the pulled commits may need modifications to work properly on an old feature version of the software, which will also be done during the process. Alternatively, a software may be compiled with different feature flags to restrict functionality to mitigate bugs known in upstream.
Okay, I understood about 5% of what you just said, but I think I get the general gist of it. Thanks for your reply.
Basically, because they can look at the source code of individual applications and how it got changed over time, they can typically create alternative versions of the software, which doesn’t include the newest features, but does include bug fixes and security patches.
I now know more about this subject than I ever thought possible. Thank you, everyone, for your thoughtful replies. It is very much appreciated. :)
While another comment covered the matter of security updates, another point that is safer about repositories is the security of the binary and the transaction. Meaning, the place you get your software from and how this transference is accomplished are also security sensitive.
When you get the software from a repository, you typically have some assurance that (a) the binary you are getting was compiled from the source that is published (b) the source from which you are downloading is known and trusted © the method through which you are transferring is somewhat secure (e.g. TLS) (d) the changes made were inspected by at least one more independent party (depends on the repository’s policies).
Repositories will also have criteria for inclusion, which can bar you from software you want, but still could also mean software with bad security practices never reached you to begin with. Being included in the repository might also mean it’s up to more scrutiny, as it may be removed depending on what security events happen in the future.
Say that instead we were to get the software directly from the original source. How will this source transfer the software to you? If they publish it on a website, that adds one more attack surface where, if an attacker tampers with files, hashes and/or links, you are now no longer getting it from the source. Say instead you get it from a Git forge such as e.g. GitHub. Is the binary being built form source in CI? Or is it uploaded manually? Does it provide a hash? How can we know the manually uploaded binary, even if it has a hash, was compiled from the publicly available source? There is no trusted, independent third party involved to confirm that.
I can think of a few other reasons unrelated to security, such as repositories, particularly distro/OS-specific repositories but not only them, will tailor the software to your OS, resolve dependencies for you and add niceties such as init system integration, shell completions, man pages and sample configuration that is specific to your OS.
