Ubuntu MATE 20.04 installs a PPA when changing color theme

Hi,

Ubuntu MATE is my favorite Linux distro but I found something very disturbing:

When changing the color theme through the Welcome screem, it installs a Launchpad PPA to do it. I discovered it doing an "apt update" in the console. A normal user wouldn't notice that.

As far I know, PPAs are not checked by Ubuntu Security Team. The maintainer can upload a package and it becomes immediately available to the users, so if the computer of the PPA maintainer becomes hacked, malware could be distributed to thousands of users when their system do an automatic system update.

Please make the color themes a distro package and remove completely PPAs.

Thank you!

1 Like

Thanks for using Ubuntu MATE and kind words about it.

In perfect world I can agree with you. But in real world it sounds weird and paranoidal.

And anyway PPAs are good thing. They can expand system functionality and will bring newer package versions and some packages which are not yet approved to be in official repositories. The Snaps and FlatPaks in contrast are worse as they are not controlled and need more network bandwidth and more disk space to be used.

In this particular case the Software Boutique adds special PPA which is 100% trusted as it is authored by lah7 . And here we appreciate all his efforts.
The theme packages do not contain any binaries, but only images (SVG, JPG, PNG), CSS and XML, rc- and theme-files. So there is nothing malicious here.

In future releases these packages may become a part of official repositories, so your concerns will gone. Thank you for the idea!

2 Likes

Thank you for your answer :slight_smile:

I noticed also that the Boutique and the Welcome screen are snaps with classic confinement (they have full access to user files). I'm also against not-confined snaps, so I did a small guide for security concerned users:

After installing Ubuntu MATE, after first boot don't login to avoid the Welcome snap is launched (if Welcome snap were infected with malware, it would be launched just doing login). Instead of login, restart your computer, press ESC to see GRUB options and select "Recovery mode". Select the root console and run the following commands:

#This will remove the Welcome and Boutique apps. No PPAs will be added to the system after this.

$ snap remove software-boutique
$ snap remove ubuntu-mate-welcome

#This will install Gnome Software. You can install apps from there.

$ apt install gnome-software

#Reboot

$ reboot

Regards :slight_smile: