© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
67d34a1
(Get the code!)
1.
A download link is not an option! Debian is good because it shows users which software can be updated and let it be updated with very simple actions. *.deb downloads are a nice extra but should never be the wanted way to go.
2.
A software-package should not be altered to fit Ubuntu-PPA! No keyring dependencies and no automatic sources.list additions! PPA-packages should be easily migrate-able to other repositories like sid or universe!
3.
https is not really needed because dns-spoofing is not an option for most attacks and the system is protected by package- and repository-signing
4.
Repository-signing should be done by launchpad with one separate key per user- and group-repository!
It would mean that we trust the launchpad distribution system. Unless you host your own repository on your own computer and mirror that on the net, you always have to trust the repository-
A less comfortable but more secure way to go would be to commit every upload, by unlocking the signing-key stored on launchpad each time a package should be committed to the repository.
I think it is enough to trust the users package-signature and let launchpad do the repository-
5.
Launchpad should automatically generate a keyring-