launchpad-dev team mailing list archive

[Julian Edwards <julian.edwards@xxxxxxxxxxxxx>]

On Monday 10 August 2009 13:35:37 Martin Pool wrote:
> 2009/8/10 Julian Edwards <julian.edwards@xxxxxxxxxxxxx>:
> > The original intention was to have the PPA owner sign the key.  Signing
> > with one master key doesn't really achieve anything other than
> > redirecting the issue of trust to another machine-owned key (as opposed
> > to human-owned) that you don't necessarily know about.
> >
> > Do you think we need better instructions for PPA owners telling them to
> > sign the PPA key?  Could we show keys that signed it on the PPA page
> > itself?
>
> I've never seen such an instruction, so maybe you do need better
> instructions - perhaps when setting up the archive you could send mail
> to the team owners and/or show a message on the archive page.
>
> The keyserver does actually have a page that shows signers so you
> could just link to that.  There is some weakness that the keyserver
> links are not over https.

I think what we could do is put a nag message shown only to a PPA owner to 
encourage them to sign the key, if it's not already been done.

Then, we can put a general message on the index confirming the trust, and link 
to the keyserver page.

Michael, can you factor this into your PPA page redesign please!

Martin, thanks for raising this issue, it's a good time to get these changes 
in. :)

J