launchpad-users team mailing list archive
Mailing list archive
Re: Why are there multiple keys for different PPAs from the same user/team?
On Tue, Apr 7, 2009 at 1:18 PM, Sense Hofstede <sense@xxxxxxxx> wrote:
> As you can see at the PPAs that made me think of this issue ,
> all PPAs have a key of their own. Why?
> In my eyes this is weird behaviour. If I'm correctly signing packages
> has the purpose of making sure the package was really added by the
> maintainer of the repository and allowing you to track down the
> credibility of that person or team via his/her/their key.
> We don't use keys to prove that package X from repository Y comes from
> repository Y. This, however, is what Launchpad is doing at the moment.
> This problem has worsened since multiple PPAs per user/team were
> introduced. Now you have one key for every PPA.
> I think it would be much more logical to use, in case of humans, the
> main key (or let the user specify the preferred, in Launchpad imported
> key) be the PPA's key.
> I do understand that you have to generate a new one for a team.
> However, I think it would make sense to generate a key just once and
> use it for all other repositories.
> In one sentence: couple PPA keys to the maintainers, not to the PPAs.
I have discussed your ideas with Colin Watson and we agreed that new
signing-keys for every single PPA is an unnecessary paranoid, which ends
up causing extra trouble for users without providing any clear benefit.
As you said, the signing-key should be used to trust a specific group
of users responsible for the contents of one or more repositories, not
necessarily a specific repository.
This issue will be addressed soon:
Thanks for your feedback.
Celso Providelo <celso.providelo@xxxxxxxxxxxxx>
IRC: cprov, Jabber: cprov@xxxxxxxxxx, Skype: cprovidelo
1024D/681B6469 C858 2652 1A6E F6A6 037B B3F7 9FF2 583E 681B 6469