Comment 36 for bug 125103

@Per Hansen
1. I think a *.deb download for the keyring and sources.list.d is the best idea we've had so far. As long as the .deb is only used for bootstrapping, and can be automatically upgraded to (for example) revoke compromised keys, we should be okay. The only other reason to avoid manual *.deb downloads is that it's prone to dependency hell. We should try to make sure that the packages do not depend on anything that isn't already contained within stock ubuntu/debian.

2. is a good point. I only suggested the fake dependency for bootstrapping purposes, but a downloadable *.deb would be more elegant.

3. I agree. simple HTTP is more scalable and cacheable. We want to make it easy for people to mirror PPAs if they become very popular.

4. The separate keys issue should be taken as settled.

Regarding the manual unlocking of keys for each upload: I think we're already forced to trust the launchpad system to be secure, as we're using it for compilation. Trust in any key automatically implies trust in the machine on which the signing is done. I see no security benefit in having to manually unlock the key each time.

I agree with 5. Whether it should be a separate package from the one which installs the sources.list.d entry is an implementation detail.

@Bryan Donlan: I'm not sure whether ubuntu should really be taking responsibility for signing the PPA-keys of untrusted developers. The fact that launchpad is served over https is probably a more appropriate trust path for this application. If any PPA keys appear in trusted repos, they should only be those of trusted developers. See my comment of 2008-02-11 for details.