launchpad-dev team mailing list archive

Thread
Date

Re: users confused by lack of signatures on the PPA signing key

To: Launchpad Community Development Team <launchpad-dev@xxxxxxxxxxxxxxxxxxx>
From: Julian Edwards <julian.edwards@xxxxxxxxxxxxx>
Date: Mon, 10 Aug 2009 12:22:44 +0100
Cc: Martin Pool <mbp@xxxxxxxxxxxxx>
In-reply-to: <e01316480908092213t3193b08br9fe382afe732570c@mail.gmail.com>
Organization: Canonical Ltd
User-agent: KMail/1.12.0 (Linux/2.6.28-14-generic; KDE/4.3.0; x86_64; ; )

On Monday 10 August 2009 06:13:23 Martin Pool wrote:
> https://bugs.edge.launchpad.net/soyuz/+bug/410745
>
> This seems to have come up a few times - users are surprised/confused
> that the PPA key looks very generic and that it's not signed by the
> developers.
>
> I'm not sure precisely what we should be doing.  Maybe they should all
> be signed by a master key?  Maybe Launchpad should recommend that
> projects sign it with some other key?

The original intention was to have the PPA owner sign the key.  Signing with 
one master key doesn't really achieve anything other than redirecting the 
issue of trust to another machine-owned key (as opposed to human-owned) that 
you don't necessarily know about.

Do you think we need better instructions for PPA owners telling them to sign 
the PPA key?  Could we show keys that signed it on the PPA page itself?

Cheers.

Follow ups

Re: users confused by lack of signatures on the PPA signing key
From: Martin Pool, 2009-08-10

References

users confused by lack of signatures on the PPA signing key
From: Martin Pool, 2009-08-10