software from the community repositories safe?

Hello

I’m new to Opensuse and I;ve got a question on the community repositories. I want to install software like Keepassxc 2.30, Mediathekview and clamtk. Can I install those applications from the different community repositories safely without that my desktop is being compromised.

I thank you for your answers!

1 Like

The easiest thing is to install only the single software, choosing at the first Yast screen not to keep the repository.

yes it’s safe and while somebody might suggest using the 1-click installer to install software from 3rd party repo’s and then selecting not to keep the repo’s I’d suggest the opposite add those repositories with zypper or yast and then install the apps you want with zypper or yast while keeping the repo’s, by keeping the repositories active you’ll get any software updates that are published by just installing the rpm you won’t get updates
just keep the number of extra repositories to a minimum to the ones you really use if you don’t use software from a repo remove it.

With Yast there is also the possibility of giving priority to the repositories.
By default they are set to 99, if you add a Community Repository you put it at 100 so it does not have priority over the official ones
What version of Opensuse are we talking about?

One warning: the distro itself is openqa tested, as a whole. The community repos arent’t. The documentation is clear about those repos: use at own risk. Of course, the community will try to help you, if issues arise, but please note the difference.

Knurpht points out important info, and I would like to add that using the Community Repos can have risks. It helps if you are aware of any work done by the Repo owner and what stage they are at, as well.

Many of the home repos are by some very experienced Packagers and Programmers, while there are also quite a few by other people just starting out in OBS and learning what to do.

It could well be a first experimental work by someone.

Of course, it is very unlikely that anyone in the home repos have any malicious intent, but unintended mistakes and glitches can happen when a person is learning and starting out.

As Knurpht said, weigh the options, and if you run into trouble, just come here for help.

You might want to consider what you mean by “Community Repository,”
The current website https://software.opensuse.org/search unfortunately has confused the terminology.

Traditionally, “Community” has meant an organized group of people working with a common purpose, and especially in software likely working on a single project or an umbrella of projects.
The newly misleading use of “Community” in our openSUSE software currently does not mean this, “Comminity” only refers loosely to individuals contributing to OBS. There is no organization, and each individual is more likely working alone than as part of an organized effort.
Instead “Experimental” now seems to include various types of what more traditionally is known as organized “Community”

Examples
Packman seems to be no longer considered a Community repository.
Our own openSUSE repos like servers, development languages, and officially sanctioned technologies like Ruby and Python are no longer considered Community repositories.

But,
If I were to set up an OBS repo for my own personal efforts, that would be considered a Community repo.

So,
In terms of the hierarchy of trusted repo sources, I currently consider our openSUSE definition of a “Community” repository as the least reliable and safe. That does not necessarily mean that the repo contains malicious software, it mostly means that the software is least reviewed, least tested and if there are other sources I would prefer almost anything before one of these repos… But will still consider these repos vastly better than something with unknown or unverifiable origin.

I’d encourage openSUSE to revise this change in terminology ASAP but am not holding my breath.

TSU

1 Like

yes I don’t quite understand the reasoning for the new layout on
https://software.opensuse.org/search
what it calls community repo’s are in fact user repo’s and while some of them are repositories of software developers there’s nothing community in them, while I do use software from some of them I do it with care as they are user repositories and can contain experimental features
yet the official extra opensuse repositories (for example kde:extra or gnome:apps) are filed under experimental when they contain vanilla code with zero experimental features?
it’s just beyond me why they changed the old UI it was simple and functional the new is confusing

Am also contemplating the simple possibility that the website code is reversed…
Everything in “Community” should actually be in “Experimental” and vice versa.

TSU

Its precisely this confusion between trusted and non-trusted packages that I am dropping openSUSE 30 minutes after installing it for the first time. This is simply not acceptable. With a single click you can install a malicious externally non-tested package created by someone from there bedroom. Sorry, but this is not professional at all and not worth the risk. Clearly define what is from the main repo and packages by the official team, or don’t use confusing double meanings for “Community” and “Experimental”. Just too risky! A setup like this makes one question the judgement of the main openSUSE developers in the first instance.

It is clearly defined what is from the main “official”, or how you want to call them, repos. All packages that are on those repos: OSS and non-OSS (and their respective Update repos). When you only have those in your repos list, all that you can see with YaST > Software > Software Management is from those two “official” repos and belongs to the released distribution. Those are the only repos added when you install openSUSE (well, their, disabled, debug and source repos may be added for convenience, almost nobody ever enables them, but they are “official”).

1 Like

Which confusion?

Did you care to read Package repositories - openSUSE Wiki and did you follow the “See also” links on the bottom of that page?

Regards

susejunky

1 Like