After adding a repository, software-properties should wait until the key is added before updating
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Software Properties |
New
|
Undecided
|
Unassigned |
Bug Description
There is a race condition in adding a repository such as a PPA and reloading the sources. If the reload happens before the key is pulled from the keyserver, there will be numerous authentication warnings until the next time an update is run.
Steps to reproduce:
1. Under Other Software, click Add and add a PPA. I believe this asynchronously begins fetching the public key from the keyserver.
2. Within a reasonable amount of time (30 seconds), click Close on the Software Sources window. You will be prompted to Reload the sources.
3. Click Reload. An error dialog pops up, such as: "W: GPG error: http://
4. If the PPA replaces any already-installed packages, go to Update Manager. The new packages will be ready to install. Click Install Updates without clicking Check. You will again be shown a dialog listing the packages as "NOT AUTHENTICATED".
5. Cancel that. Finally click Check, re-downloading the sources and finally authenticating against the key, which has by now been fetched.
I believe this is a serious usability concern, as users will be scared off installing PPAs. Also, potentially a security concern, if they do install unauthenticated packages.
The software-properties program should, in Step 1, show a synchronous dialog box saying "Fetching key from keyserver", which does not close until the key has been fetched (or an error has occurred). At that point, it would be safe to click Close and fetch the sources, with the key in the keychain.