2026/08/08 –, AU
Every day, millions of users type apt update and apt install and software appears on their system as if by magic. Behind this simple command lies a sophisticated infrastructure of cryptographic safeguards, precise archive organization, and rigorous human review. This talk is an invitation to look under the hood and trace the full lifecycle of an Ubuntu package, from the central archive to the local machine.
The journey begins with an exploration of the repository architecture. We will break down how your system's repository configuration maps to a structured archive where metadata and installable packages are organized separately. We will discuss how Ubuntu manages change over a release's lifetime through distinct channels for security fixes, stable updates, and backported features, and how the archive groups packages by the level of support and maintenance they receive.
Trust is the backbone of this ecosystem. We will demonstrate the "Chain of Trust" that ensures package authenticity, illustrating how the system verifies that software is genuine and untampered with, even when fetched over potentially untrusted network mirrors. This section illustrates how a single signed file at the top anchors the trust for every package in the archive.
Finally, we will explore the human "gatekeepers" of the ecosystem. We will demystify the procedural checks and balances, such as the security auditing and stable release update processes that ensure software remains reliable long after a version is released.
More info: https://events.canonical.com/event/146/contributions/946/
Shishir is a security engineer at Canonical, where he works on mitigating vulnerabilities across applications in the Ubuntu archive. He holds a degree in computer engineering and has hands-on experience in open-source security, application hardening, and infrastructure security. When not at a terminal, he can be found on a football pitch, at a table tennis table, or on a hiking trail.