Freedom issues with PPAs
Hello everybody!
I've been reading a lot of warnings here about PPAs, so I would like to understand exactly why they are a problem even when the software in question is free. As an example, there are many PPAs with updated versions of free software like LibreOffice, GIMP, VLC, ClamTK, etc.
When do they become a problem and how can I see a problem in one? Thank you! :)
PPA is dangerous because you are installing whatever the person who manages the PPA puts there for you to install. You can't be sure if the software you are installing is trustworthy, because it's as if you were installing a binary instead of compiling from source.
OpenShot for example has a official PPA, so you trust it as much as you would trust a deb file that the maker would provide. It's better than for example GIMP 2.8 PPA, that is run by someone who has no affiliation with GIMP team.
You can still take a look at the code and all of that, but usually you need to trust the PPA manager.
As for free software, the software remais Free both in the PPA and out of it.
As I understand it, the warning stems from the possibility that the PPA could have both Free Software and proprietary software. Once added, it is possible to accidentally install the proprietary software as well.
It is also worth pointing out that a PPA that only hosts free software may, in the future, host proprietary software. A user that does not pay enough attention may therefore end up installing proprietary software during an apparently seamless update.
Thanks everyone!
The same warnings (trusting the one who makes them) go for .deb packages, I suppose? Or the best answer still is to compile the source yourself?
You correctly suppose. Minus the problem with updates I was talking about (the .deb will never be updated). All in all, it is a question of trusting (or not) who distributes the software.
Thanks for the heads up! :)
Why don't we start a wiki page with trusted/free PPAs?
Define "trusted". A PPA that only hosts free software may, in the future, host some proprietary software (because the authors of the code change the license, because their newer version rely on proprietary dependencies that are added to the PPA, etc.).
PPAs maintained by the app's devs—as many are—seem trustworthy. It's ok if PPA authors can potentially introduce proprietary content; that's how all software is. The usual solution in free software communities is to file a freedom issue and remove the proprietary content, e.g., remove the wiki link and move the PPA to a "Known Freedom Issues" section.
It is *not* OK for the Trisquel project to have a Wiki page listing, even temporary, some PPAs with proprietary software. Moreover, its users will probably not discover the proprietary content introduced by an update (how many of them check the source code of the software updated through PPAs?) and the "temporary" aspect may last months. Even if the freedom issue is quickly discovered and the PPA is removed from the Wiki page, most of its users will probably keep running proprietary software because they rarely check the Wiki pages.