Understanding PPAs

Understanding PPAs

A PPA (Personal Package Archive) is a third-party repository hosted on Launchpad, Canonical’s development platform. PPAs let software developers publish Ubuntu packages without going through the official Ubuntu archive. They are commonly used to get newer versions of software than Ubuntu’s repositories provide, such as a newer PHP version, the latest Git, or software that is not in the official repos at all.

What a PPA is

When you add a PPA, you are adding a third-party repository to your system. The packages in a PPA are not reviewed by Canonical or the Ubuntu security team — they are maintained by whoever created the PPA. This is the key risk: a PPA package can install anything, including packages that override system libraries.

Adding a PPA

# Install the tool if not present
sudo apt install -y software-properties-common

# Add a PPA by its name
sudo add-apt-repository ppa:ondrej/php

# Always update after adding a PPA
sudo apt update

# Now install the package from the PPA
sudo apt install php8.3-fpm

# Verify the package came from the PPA (not the official repo)
apt-cache policy php8.3-fpm

Example: apt-cache policy shows where a package comes from

php8.3-fpm:
  Installed: 8.3.6-1+ubuntu22.04.1+deb.sury.org+1
  Candidate: 8.3.6-1+ubuntu22.04.1+deb.sury.org+1
  Version table:
 *** 8.3.6-1+ubuntu22.04.1+deb.sury.org+1 500
        500 http://ppa.launchpad.net/ondrej/php/ubuntu jammy/main
     8.1.2-1ubuntu2.17 500
        500 http://archive.ubuntu.com/ubuntu jammy/main

Removing a PPA

# Remove a PPA (removes the source entry but does NOT downgrade packages)
sudo add-apt-repository --remove ppa:ondrej/php
sudo apt update

# To also downgrade packages to the official Ubuntu version:
sudo apt install ppa-purge
sudo ppa-purge ppa:ondrej/php

# Manually remove a PPA's .list file
ls /etc/apt/sources.list.d/
sudo rm /etc/apt/sources.list.d/ondrej-ubuntu-php-jammy.list
sudo apt update

💡 TIP: ppa-purge is the cleanest way to remove a PPA. It not only removes the repository but also reverts installed packages to their official Ubuntu versions. This is important because removing the PPA source without downgrading leaves you with packages that have no security update path.

Pinning packages to prefer a PPA version

When both an official repo and a PPA have a package, APT uses the version with the highest priority. You can control this with APT pinning.

# Check current priorities for a package
apt-cache policy nginx

# Pin a specific version to prevent upgrades
echo "Package: nginx
Pin: version 1.24.*
Pin-Priority: 1001" | sudo tee /etc/apt/preferences.d/nginx-pin

# Apply the pin
sudo apt update
apt-cache policy nginx

When to trust a PPA

Before adding a PPA to a production server, evaluate it:

• Use the official vendor PPA when available: Docker (download.docker.com), nginx (nginx.org), MySQL (dev.mysql.com), and many others publish their own official repositories. These are more reliable than third-party Launchpad PPAs.
• Check the PPA maintainer on Launchpad: Is this a well-known maintainer? How many subscribers? When was it last updated?
• Ondrej Sury’s PHP PPA (ppa:ondrej/php): This is the de facto standard for getting newer PHP versions on Ubuntu. It is widely used and actively maintained.
• Never add a random PPA from a blog post to a production server without verifying the maintainer is trustworthy.

Conclusion

PPAs provide access to newer packages than Ubuntu’s repos offer but come without Canonical’s security review. Use PPAs from known, trusted maintainers (official vendor repos or established community maintainers) and avoid them on high-security servers where package provenance matters. Use ppa-purge rather than just deleting the .list file when removing a PPA, so your installed packages return to official versions.