launchpad-dev team mailing list archive

[Celso Providelo <celso.providelo@xxxxxxxxxxxxx>]

On Mon, Aug 10, 2009 at 9:48 AM, Julian
Edwards<julian.edwards@xxxxxxxxxxxxx> wrote:
> On Monday 10 August 2009 13:35:37 Martin Pool wrote:
>> 2009/8/10 Julian Edwards <julian.edwards@xxxxxxxxxxxxx>:
>> > The original intention was to have the PPA owner sign the key.  Signing
>> > with one master key doesn't really achieve anything other than
>> > redirecting the issue of trust to another machine-owned key (as opposed
>> > to human-owned) that you don't necessarily know about.
>> >
>> > Do you think we need better instructions for PPA owners telling them to
>> > sign the PPA key?  Could we show keys that signed it on the PPA page
>> > itself?
>>
>> I've never seen such an instruction, so maybe you do need better
>> instructions - perhaps when setting up the archive you could send mail
>> to the team owners and/or show a message on the archive page.
>>
>> The keyserver does actually have a page that shows signers so you
>> could just link to that.  There is some weakness that the keyserver
>> links are not over https.
>
> I think what we could do is put a nag message shown only to a PPA owner to
> encourage them to sign the key, if it's not already been done.
>
> Then, we can put a general message on the index confirming the trust, and link
> to the keyserver page.
>
> Michael, can you factor this into your PPA page redesign please!
>
> Martin, thanks for raising this issue, it's a good time to get these changes
> in. :)

Do we really want to include an implicit keyserver hit on every
PPA:+index page load for listing signing key signatures ?

Despite of the performance and availability issues, I don't see why we
are making the signing-key acceptance a manual procedure ? Note that
karmic software-properties automatically adds the signing-key trusting
LP via HTTPS without even asking for users attention.

I personally think that signing the PPA signing-key is wasteful and
misleading, signers do not have any control on them, by signing a PPA
signing-key we are merely confirming that you trust https, because
that's the way you used to confirm that the key you signed was the one
LP generated.

An user decides to trust bzr-uploaders the moment he accesse the bzr
PPA page and add it to his system, not because he is satisfied with
the signatures the bzr PPA signing-key has, IMO. That's way different
than Martin signing John's key because they've met during All Hands
and IDs were checked.

For all the effects LP is the central, and only, point of trust. If it
gets compromised all signing keys will be revoked and new ones will be
generated, users will be warned to drop & reload their PPA keys.

-- 
Celso Providelo <celso.providelo@xxxxxxxxxxxxx>
IRC: cprov,  Jabber: cprov@xxxxxxxxxx, Skype: cprovidelo
1024D/681B6469 C858 2652 1A6E F6A6 037B  B3F7 9FF2 583E 681B 6469