On Tue, Apr 7, 2009 at 1:18 PM, Sense Hofstede <sense@xxxxxxxx> wrote: > Hello, > > As you can see at the PPAs that made me think of this issue [1][2], > all PPAs have a key of their own. Why? > > In my eyes this is weird behaviour. If I'm correctly signing packages > has the purpose of making sure the package was really added by the > maintainer of the repository and allowing you to track down the > credibility of that person or team via his/her/their key. > We don't use keys to prove that package X from repository Y comes from > repository Y. This, however, is what Launchpad is doing at the moment. > This problem has worsened since multiple PPAs per user/team were > introduced. Now you have one key for every PPA. > > I think it would be much more logical to use, in case of humans, the > main key (or let the user specify the preferred, in Launchpad imported > key) be the PPA's key. > I do understand that you have to generate a new one for a team. > However, I think it would make sense to generate a key just once and > use it for all other repositories. > > In one sentence: couple PPA keys to the maintainers, not to the PPAs. Hi Sense, I have discussed your ideas with Colin Watson and we agreed that new signing-keys for every single PPA is an unnecessary paranoid, which ends up causing extra trouble for users without providing any clear benefit. As you said, the signing-key should be used to trust a specific group of users responsible for the contents of one or more repositories, not necessarily a specific repository. This issue will be addressed soon: https://bugs.edge.launchpad.net/soyuz/+bug/357177 Thanks for your feedback. [] -- Celso Providelo <celso.providelo@xxxxxxxxxxxxx> IRC: cprov, Jabber: cprov@xxxxxxxxxx, Skype: cprovidelo 1024D/681B6469 C858 2652 1A6E F6A6 037B B3F7 9FF2 583E 681B 6469
This is the launchpad-users mailing list archive — see also the general help for Launchpad.net mailing lists.
(Formatted by MHonArc.)