On 26 July 2012 13:48, Chandra Amarasingham <camarasingham@yahoo.com> wrote:
Does know of an official note on how software ends up in the universe repository on ubuntu. Given it's community maintained and not officially supported, is it considered safe enough for production use....safe in the sense of being free of malevolent elements. Stability is not an issue.
https://help.ubuntu.com/community/Repositories/#Universe Most (if not all) of those packages originate from Debian (which in turn, originate somewhere upstream), thus ask yourself, "do I trust..."; - The community of Ubuntu maintainers (MotU), and the security of their build environment - Debian developers/maintainers - Upstream software developers That said, "given enough eyeballs, all bugs are shallow", and there are many people along that chain, but even that didn't stop a fairly grave OpenSSH bug[1] slipping through unnoticed for *years*... [1] - http://helvick.blogspot.com.au/2008/05/debian-opensslopenssh-prng-bug.html -- Joel Shea <jwshea@gmail.com>