PPA GPG key needs more signatures
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Bazaar |
Expired
|
Wishlist
|
Unassigned | ||
Launchpad itself |
Invalid
|
Undecided
|
Unassigned |
Bug Description
The GPG signing key for the Bazaar PPA (https:/
It would be better if the PPA key were signed by several other people whose own GPG keys, in turn, have been signed by others. This would provide more confidence that the PPA GPG key, and the contents it verifies, are genuine and haven't been recently replaced by a Trojan horse. A clever attacker might be able to fool an email-address-
This is probably not a high-priority issue, but it would be nice to have more confidence in the Bazaar PPA key.
Changed in bzr: | |
status: | New → Confirmed |
importance: | Undecided → Wishlist |
status: | Confirmed → Incomplete |
I'm not sure that signing it would really add much meaningful security: you get the key fingerprint from Launchpad, the same system (though not precisely the same machine) that makes the archive. So if you trust Launchpad to give you the packages, presumably you also trust it to tell you what key to use. If I sign the key, it won't signify anything more than that at some point in the past I also got that key from Launchpad.
Perhaps there's no harm in encouraging more people to sign it. You can sign it yourself!
On the other hand, some people feel signing keys without verifying the real human owner is bad, and in this case there is no human owner.
See also bug 328402.