PPA keys don't link to the archive / user that they are signing / signing for
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Triaged
|
Low
|
Unassigned |
Bug Description
Launchpad's generated keys for signing have no indication of the PPA URL or the user's Launchpad username or their email address. They only have the user's real name, which is not great because it's not unique and it can be freely changed at any time. Example::
mbp@grace% gpg --list-keys CA9840026B51D222
pub 1024R/6B51D222 2009-01-26
uid Launchpad PPA for Dominic Sacré
Aside from anything else, this would be useful if I'm looking at which keys are currently trusted and trying to decide whether I can remove one or not.
Possibly the simplest fix would be to just put the URL in the UID like eg
"Launchpad PPA for Dominic Sacré <http://
This is mentioned in bug 309202, but it wasn't actually done when that bug was closed.
Changed in soyuz: | |
importance: | Undecided → Medium |
status: | New → Triaged |
Changed in soyuz: | |
assignee: | nobody → cprov |
milestone: | none → pending |
Changed in soyuz: | |
assignee: | Celso Providelo (cprov) → nobody |
Note that the Launchpad user nickname is also changeable by the user, so doesn't prevent users from playing tricks. That said, it probably is a good idea to include the nickname since it is possible to have multiple users in Launchpad with the same display name.