Comment 0 for bug 1667725

Revision history for this message
Scott Moser (smoser) wrote :

Currently, for a ppa, launchpad makes the long key fingerprint available over https.
I'd like to request that it also make the full public key available over https.

Many people use add-apt-repository extensively for using ppas ('add-apt-repository -y smoser/archive')

As I understand it, that basically does:
 a. request the 'archive urls', 'description' and long key fingerprint over https from launchpad.net
 b. does gpg --recv <long-key-fingerprint> from hkp://keyserver.ubuntu.com:80/ (or the --keyserver argument)
 c. adds the result of 'b' to apt using 'apt-key'

Since launchpad is the owner of the signing key for the ppa, why not have it just give us the full public key over the same api that it provides the other bits of information?

My experience is that gpg servers are less reliable than we'd like, and even if they were as reliable as launchpad, any use of a ppa now effectively depends on 2 external systems when 1 could suffice.