© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
> What this hypothetical attacker can NOT do, though, is get the signatures of the Bazaar maintainers on his fake
> key. Their signature(s) on the PPA key would add a lot more trust. They're the ones creating the packages in the
> first place, so you're already trusting them with your computer's security when you install the packages they
> created. (In other words, if they're in cahoots with the hypothetical attacker, you've already been compromised).
> Therefore if they were to give their official "stamp of approval" on the PPA signing key by signing it with their own
>keys, I'd be confident that it's genuine.
The Bazaar maintainers don't create the package, some process on Launchpad does.
If some random hacker is able to list an invalid fingerprint on Launchpad (this would require compromising Launchpad) then I don't see why they wouldn't be able to compromise Launchpad's build system that creates the package and have that create malicious packages.