Just to clear some potention confusion: On Tue, Apr 07, 2009 at 03:00:39PM -0300, Celso Providelo wrote: > > In my eyes this is weird behaviour. If I'm correctly signing packages > > has the purpose of making sure the package was really added by the > > maintainer of the repository and allowing you to track down the > > credibility of that person or team via his/her/their key. > > We don't use keys to prove that package X from repository Y comes from > > repository Y. This, however, is what Launchpad is doing at the moment. I'm not sure why you say you don't use keys to prove that package X comes from repository Y -- that is exactly what we use signed archives for: to avoid the risk of a MITM impersonation of an archive. The specific problem that Sense has pointed out here: > > This problem has worsened since multiple PPAs per user/team were > > introduced. Now you have one key for every PPA. is what Celso is suggesting addressing here: > I have discussed your ideas with Colin Watson and we agreed that new > signing-keys for every single PPA is an unnecessary paranoid, which ends > up causing extra trouble for users without providing any clear benefit. This basically means that for the cases where a team or user has multiple PPAs, we'd use the same key. -- Christian Robottom Reis | [+55 16] 3376 0125 | http://launchpad.net/~kiko | [+55 16] 9112 6430 | http://async.com.br/~kiko
This is the launchpad-users mailing list archive — see also the general help for Launchpad.net mailing lists.
(Formatted by MHonArc.)