publishing signed .changes from PPAs allow reuploading the same binary to main distro
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
New
|
Undecided
|
Unassigned |
Bug Description
Currently, when you upload something to a PPA, the .changes file gets published together with the source. This can lead to the following scenario:
- Alice is a member of ubuntu-core-dev and maintains the telepathy packages. She has a PPA where she uploads crack-of-the-day builds which should not go into hardy (which is the current development release). Since Launchpad doesn't allow different PPAs to have different keys associated with them, her uploads are signed with her normal key which allows uploading to hardy.
- Mallory wants to destabilise the Telepathy packages in Ubuntu. Since he is not even an Ubuntu member, he can not in any way upload to the main distribution. However, he can take the unstable and experimental packages from Alice's PPA, including the .changes file and upload that to Ubuntu proper.
This is, obviously not a good thing.
Some ways to solve this problem would be to:
- Not publish the .changes file for PPAs, or strip the PGP signature
- Make the upload target have to be distro/ppa-name
- Allow other keys than your main key to be associated with a particular PPA. (This can be good to have for other purposes too, like doing daily builds out of RCS.)
visibility: | private → public |