Finding and removing packages installed from non-standard repos in Ubuntu
Saturday, April 10th, 2021
Update: Oh, look, right in the nick of time: “Valve Steam through 2021-04-10, when a Source engine game is installed, allows remote authenticated users to execute arbitrary code because of a buffer overflow that occurs for a Steam invite after one click”
As part of my big spring cleaning, as well as given all the recent supply chain attacks, I’ve decided that I will no longer run any software from third-party repositories directly on my Linux desktop. The most pressing issues is with packages from PyPi, NPM, Docker Hub and other repositories that don’t support cryptographically signed packages. I now run those in Virtual Machines, but that’s a topic for another blog post.
I also wanted to get rid of all the cruft I’ve installed on my Linux desktop over the last years from third-party Ubuntu repositories. I often tend to try things out, but then forget to clean up after myself, which leaves quite a bit of software lingering around that I never use anyway:
root @ jib /etc/apt/sources.list.d $ ls 000-mailpile.list slack.list 000-mailpile.list.save slack.list.save crystal.list spotify.list crystal.list.save spotify.list.save google-chrome.list steam.list google-chrome.list.save steam.list.save google-cloud-sdk.list taskcoach-developers-ubuntu-ppa-bionic.list google-cloud-sdk.list.save taskcoach-developers-ubuntu-ppa-bionic.list.save gregory-hainaut-ubuntu-pcsx2_official_ppa-bionic.list teams.list gregory-hainaut-ubuntu-pcsx2_official_ppa-bionic.list.save teams.list.save nodesource.list teamviewer.list.save nodesource.list.save ultradvorka-ubuntu-productivity-bionic.list peek-developers-ubuntu-stable-bionic.list ultradvorka-ubuntu-productivity-bionic.list.save peek-developers-ubuntu-stable-bionic.list.save vscode.list signal-xenial.list vscode.list.save
I mean, I don’t even know what some of that stuff is anymore. Time to clean things up!
First, how do I figure out which packages are in those repositories? The web gives us plenty of tips, but they seem to revolve mostly around aptitude, which I don’t have installed. And the whole idea is to clean things up, not install additional cruft!
Let’s look at /var/lib/apt/lists:
$ cd /var/lib/apt/lists $ ls | head -n5 deb.nodesource.com_node%5f12.x_dists_bionic_InRelease deb.nodesource.com_node%5f12.x_dists_bionic_main_binary-amd64_Packages dist.crystal-lang.org_apt_dists_crystal_InRelease dist.crystal-lang.org_apt_dists_crystal_main_binary-amd64_Packages dist.crystal-lang.org_apt_dists_crystal_main_binary-i386_Packages
Okay, that looks promising..
$ cat deb.nodesource.com_node%5f12.x_dists_bionic_main_binary-amd64_Packages | head -n5 Package: nodejs Version: 12.22.1-1nodesource1 Architecture: amd64 Maintainer: Ivan Iguaran <ivan@nodesource.com> Installed-Size: 91389
Ah, just what we need. So we can get a list of all the packages in a repo using some grep magic. Note that these are not necessarily packages that have actually been installed, but rather they’re all the packages that are available in the repository.
$ grep '^Package:' deb.nodesource.com* lists/deb.nodesource.com_node%5f12.x_dists_bionic_main_binary-amd64_Packages:Package: nodejs
For a repo with multiple packages, the output looks like this:
$ grep '^Package:' repository.spotify.com* lists/repository.spotify.com_dists_stable_non-free_binary-amd64_Packages:Package: spotify-client lists/repository.spotify.com_dists_stable_non-free_binary-amd64_Packages:Package: spotify-client-0.9.17 lists/repository.spotify.com_dists_stable_non-free_binary-amd64_Packages:Package: spotify-client-gnome-support lists/repository.spotify.com_dists_stable_non-free_binary-amd64_Packages:Package: spotify-client-qt lists/repository.spotify.com_dists_stable_non-free_binary-i386_Packages:Package: spotify-client lists/repository.spotify.com_dists_stable_non-free_binary-i386_Packages:Package: spotify-client-gnome-support lists/repository.spotify.com_dists_stable_non-free_binary-i386_Packages:Package: spotify-client-qt
Fix that output up a little bit so we only get the package name:
$ grep '^Package:' repository.spotify.com* | sed "s/.*Package: //" | sort | uniq spotify-client spotify-client-0.9.17 spotify-client-gnome-support spotify-client-qt
There we go. We can now use apt to see if any of those packages are installed:
$ apt -qq list $(grep '^Package:' repository.spotify.com* | sed "s/.*Package: //" | sort | uniq) | grep installed spotify-client/stable,now 1:1.1.55.498.gf9a83c60 amd64 [installed]
Okay, so Spotify has been installed with the spotify-client package. Now, we could purge that package manually, but for some of the repositories there are many installed packages. An easier (but slightly more dangerous) method is to just purge all of the packages mentioned in the repo, whether they’re installed or not:
$ apt purge $(grep '^Package:' repository.spotify.com* | sed "s/.*Package: //" | sort | uniq) Package 'spotify-client-0.9.17' is not installed, so not removed Package 'spotify-client-gnome-support' is not installed, so not removed Package 'spotify-client-qt' is not installed, so not removed The following packages will be REMOVED: spotify-client* 0 upgraded, 0 newly installed, 1 to remove and 13 not upgraded. After this operation, 305 MB disk space will be freed. Do you want to continue? [Y/n]
Finally, we can remove the source list from our system:
$ rm /etc/apt/sources.list.d/spotify.list*
Rinse and repeat for the other repositories, and soon we’ll have rid our system of not just a bunch of cruft that increases our attack surface, but also of a bunch of closed source, proprietary garbage that I never used in the first place.
Update: Don’t forget to also remove any lingering configuration or data from your home directory or the system in general. How to go about doing that differs per application, so I can’t give any instructions for that. I just did a “find -type d” in my home dir, grepped out a bunch of irrelevant stuff and then went through the entire list and did a “rm -rf” on anything I didn’t think was worth keeping around. Freed up about 90 Gb of disk space too! (mostly due to steam). Make backupsĀ before you do this!
Also, when you’re done removing the source lists, you can just wipe the entire contents of /var/lib/apt/lists. It’ll get rebuild when you do an apt update:
$ rm /var/lib/apt/lists/* $ apt update
Now, I’m pretty sure that there is some arcane apt, dpkg, apt-get or add-apt-repository command to make this easier. The thing is that finding out which command does exactly what I wanted was taking up more time than just going ahead and cobble some shell oneliners myself.
Stay tuned for a blog post on how I use VirtualBox with linked clones and a little shell script wrapper to super easily spin up a sandboxes virtual machine for each of my development projects!