Comment 7 for bug 125103

Revision history for this message
Alexandre Vassalotti (avassalotti) wrote :

Dave Walker wrote:
> I don't think there should be a general key for all PPA's. I think it is quite important for separate users/projects to have their own keys,
> as mentioned above - to trust one user/projects archive is different to a blanket approval.

I don't see how having a single master key for all personal archives could be dangerous. GnuPG keys are used for two purposes:
  A. To verify the provenance of the source packages uploaded to the build system. The system checks the signature of the description files to tell if a source package comes from the owner (or one of the owners) of the PPA. If the signature is invalid, the package is rejected.
  B. To verify the integrity of the binary packages built by the system. This is done by signing the main release file, which contains (typically md5, sha1 and sha256) hashes of the files in the repository.

The problem, which this bug is about, is in that second purpose. This is not about trusting the owner of an archive, but about trusting the built system used by the owner. Therefore, I believe having a single master key for all PPA would be appropriate.

> Mass roll out of PPA approval could be potentially dangerous [...]

The authentication system is not used to approve a repository. If it was so, repositories couldn't be mirrored on different servers managed by different people without sharing the private key used to sign the release file. You approve a repository by adding its URL in your /etc/apt/sources.list, not by trusting the key used.