© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
73416ba
(Get the code!)
IMO, PPA needs only one key for signing.
As uploader you verify your identity when you are uploading package _source_ to PPA.
PPA's signature verifies that the data you get when installing package means that it came from PPA without data loss/corruption
Signature verifies the source of data and it's integrity, but not it's reliability.
Concerning packages: No signatures and encryption won't ensure that you can't trust software you download from PPA. And it doesn't matter if it is signed or not. And you can't be sure it doesn't contain any 'badware' unless you look through the source (something unreal in most cases, and unreal to ordinary users). By downloading package you agree that you trust it. If you don't - don't download and install it.
So, signing will just ensure data integrity. It can't provide more, it isn't designed to do so. As a bonus, you will get rid of annoying messages and the bug with dist-upgrade. There's no reason for lots of keys for each PPA or some other forms of signing and encryption - they wouldn't bring you security.