Just to clear some potention confusion:
On Tue, Apr 07, 2009 at 03:00:39PM -0300, Celso Providelo wrote:
> > In my eyes this is weird behaviour. If I'm correctly signing packages
> > has the purpose of making sure the package was really added by the
> > maintainer of the repository and allowing you to track down the
> > credibility of that person or team via his/her/their key.
> > We don't use keys to prove that package X from repository Y comes from
> > repository Y. This, however, is what Launchpad is doing at the moment.
I'm not sure why you say you don't use keys to prove that package X
comes from repository Y -- that is exactly what we use signed archives
for: to avoid the risk of a MITM impersonation of an archive.
The specific problem that Sense has pointed out here:
> > This problem has worsened since multiple PPAs per user/team were
> > introduced. Now you have one key for every PPA.
is what Celso is suggesting addressing here:
> I have discussed your ideas with Colin Watson and we agreed that new
> signing-keys for every single PPA is an unnecessary paranoid, which ends
> up causing extra trouble for users without providing any clear benefit.
This basically means that for the cases where a team or user has
multiple PPAs, we'd use the same key.
--
Christian Robottom Reis | [+55 16] 3376 0125 | http://launchpad.net/~kiko
| [+55 16] 9112 6430 | http://async.com.br/~kiko
This is the launchpad-users mailing list archive — see also the general help for Launchpad.net mailing lists.
(Formatted by MHonArc.)