Skip to main content
  1. Blog/
  2.  

Be Suspicious Of Personal Package Archives

·456 words·3 mins
software linux ubuntu nextcloud

Related Posts

So I’ve been looking for a note editor for my desktop that would sync with Nextcloud Notes, in the same way QuillPad does on my phone. Out of the blue I saw a Youtube video on the topic of open-source, non-commercial, free note editors and decided to watch it incase it covered one that met my needs. Of the apps mentioned, only one met the criteria I had - QOwnNotes so I decided to test it out. After a quick look over the github repository to see if there were any nasty surprises in the code, I installed it and set it up.

Unfortunately QOwnNotes doesn’t sync with Nextcloud directly, instead relying on the Nextcloud Desktop Client to do the syncing, and the machine I was testing on didn’t have it installed. No worries, a quick search for “Ubuntu Nexcloud Client APT” and I have a few guides with instructions to install it via the Nextcloud-devs/desktop-client PPA.

And in the same way I checked the code for QOwnNotes before installing it, I wanted to check the authenticity of the “Nextcloud Development” team, behind the PPA. The first red flag was that despite the Nextcloud contributors page listing more than 200 people, this PPA team had only one - the owner, István Váradi and they weren’t on the list of contributors, even when I reduced the query to small substrings from their name to make sure the accented characters weren’t the issue. I did manage to find a user on Github that uses the same Launchpad ID (ivaradi), and while they have a few repositories forked from the official Nextcloud ones, they aren’t up to date, although debian/* branches on the nextcloud.client repository are mostly up to date, and even have changes ivaradi has made.

The next red flag was that the only other person requesting access to the PPA was someone using the name Codemaster with the Launchpad ID boomhacker and and boomhacker@cryptopup.site for their email address. Looking in to them lead me to their github profile that has no reference to Nextcloud. While having a super-sketchy account apply for membership isn’t a problem on it’s own, the fact their application hasn’t been rejected worries me.

All in all, it seems like the package archive might be okay, maybe. I still have reservations about it, given that the owner is claiming the name Nextcloud Development team without any official connection to the dev-team, and the presence of qtkeychain packages in the same archive makes me nervous, so I won’t be using it to install the Nextcloud Desktop Client.

I’ll build the client myself instead or, if I have issues doing that, I’ll install the snap package, though as always, that is a last resort for me.