launchpad-dev team mailing list archive

[Christian Robottom Reis <kiko@xxxxxxxxxxxxx>]

On Mon, Aug 10, 2009 at 01:48:53PM +0100, Julian Edwards wrote:
> On Monday 10 August 2009 13:35:37 Martin Pool wrote:
> > 2009/8/10 Julian Edwards <julian.edwards@xxxxxxxxxxxxx>:
> > > The original intention was to have the PPA owner sign the key.  Signing
> > > with one master key doesn't really achieve anything other than
> > > redirecting the issue of trust to another machine-owned key (as opposed
> > > to human-owned) that you don't necessarily know about.
> > >
> > > Do you think we need better instructions for PPA owners telling them to
> > > sign the PPA key?  Could we show keys that signed it on the PPA page
> > > itself?
> >
> > I've never seen such an instruction, so maybe you do need better
> > instructions - perhaps when setting up the archive you could send mail
> > to the team owners and/or show a message on the archive page.
> >
> > The keyserver does actually have a page that shows signers so you
> > could just link to that.  There is some weakness that the keyserver
> > links are not over https.
> 
> I think what we could do is put a nag message shown only to a PPA owner to 
> encourage them to sign the key, if it's not already been done.

I think the point in this thread is that signing the key doesn't
actually achieve much and nagging the owner in that sense..
-- 
Christian Robottom Reis | [+55 16] 3376 0125 | http://launchpad.net/~kiko
                        | [+55 16] 9112 6430 | http://async.com.br/~kiko