© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
73416ba
(Get the code!)
Ah. Seems that I have misunderstood how apt signs packages. You're right: keyring packages stored inside the ppa are indeed unreliable for bootstrapping trust. They would only be useful in the same sense that ssh's server keys are useful.
I only suggested it because I know some people who have broken keychains, and just type "yes" each time they get the warning message (because that's what they did on windows). I think that this is really a bug in apt-get or aptitude though: the warning message should really contain instructions on how to import the required keys (ssh-style opportunistic cryptography is better than none at all). Doing everything from within the aptitude command would be ideal.
It would also *not* be sensible to have a central keychain repo that contains the keys for all PPAs, because that archive would be signing the keys of untrusted developers as well as trusted ones.
I still think that it would be useful to have a signed archive of keychain packages for PPAs whose maintainers *are* trusted though, as this *would* successfully bootstrap trust for these archives.