Ubuntu 23.10 Introduces a Safer Way to Manage PPAs

Ubuntu 23.10 will bring a significant change to the way PPAs are managed on Ubuntu systems. The new method will embed the keys directly into the.sources files, ensuring a 1:1 relationship between the PPA and its key.

Personal Package Archives (PPAs) are a convenient way to install software from third-party sources on Ubuntu systems. However, they also pose some security risks, as the keys used to sign the packages are stored in a global directory that can be used by other repositories.

READ: How to Upgrade Your Ubuntu 18.04 System Before It Reaches End of Life

To address this issue, Ubuntu 23.10 will introduce a new way to manage PPAs on Ubuntu systems. The new method will use deb822-formatted.sources files instead of.list files to store the PPA information. The key difference is that the.sources files will have the keys directly embedded into the file’s Signed-By field, rather than relying on a separate keyring file.

This change will bring several benefits for Ubuntu users:

  • When a PPA is removed, its associated key will also be removed automatically.
  • Each PPA will have a unique key that cannot be used by other repositories or for other purposes.
  • The key will be verified against the PPA source, ensuring that the packages are authentic and have not been tampered with.

The new method will also reduce the warnings that users may encounter when adding or removing PPAs, such as “Key is stored in legacy trusted.gpg keyring” or “Manage keyring files in trusted.gpg.d instead”.

The new version of the software-properties package that implements this change is already available in the daily builds of Ubuntu 23.10 Mantic Minotaur. Users who want to try it out can download and install it from the official repository.

The change is expected to be fully implemented in the final release of Ubuntu 23.10, which is scheduled for October 2023.

SOURCE:

SPONSORED:

What’s your Reaction?
+1
4.7k
+1
17.9k
+1
452
+1
527
+1
91
+1
87
+1
1.2k