← Back to team overview

launchpad-users team mailing list archive

Why are there multiple keys for different PPAs from the same user/team?



As you can see at the PPAs that made me think of this issue [1][2],
all PPAs have a key of their own. Why?

In my eyes this is weird behaviour. If I'm correctly signing packages
has the purpose of making sure the package was really added by the
maintainer of the repository and allowing you to track down the
credibility of that person or team via his/her/their key.
We don't use keys to prove that package X from repository Y comes from
repository Y. This, however, is what Launchpad is doing at the moment.
This problem has worsened since multiple PPAs per user/team were
introduced. Now you have one key for every PPA.

I think it would be much more logical to use, in case of humans, the
main key (or let the user specify the preferred, in Launchpad imported
key) be the PPA's key.
I do understand that you have to generate a new one for a team.
However, I think it would make sense to generate a key just once and
use it for all other repositories.

In one sentence: couple PPA keys to the maintainers, not to the PPAs.

King regards,
Sense Hofstede

[1] https://launchpad.net/~vperetokin/+archive/ppa
[2] https://launchpad.net/~vperetokin/+archive/gnote

Follow ups