Comment 4 for bug 410745
Revision history for this message
| Martin Pool (mbp) wrote Re: [Bug 410745] Re: PPA GPG key needs more signatures | #4 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
2009/8/10 Robin Munn <email address hidden>:
> Personally, I don't use the fingerprints shown by Launchpad as a way of
> verifying the keys. As you indirectly point out, if someone's managed to
> substitute his own key for the official PPA key on Launchpad's servers,
> it will dutifully hand me the fingerprint of the fake key.
If the attacker can break into Launchpad they can cause arbitrary
packages to be signed by the existing key.
> Checking the
> fingerprint provided by Launchpad can't prove that to me, but checking a
> GPG signature (or ten) by the member(s) of the official Bazaar team can
> prove it.
Do you want me to do any checking before signing this key, or just go
ahead and sign it now?
--
Martin <http://