Launchpad itself

using 12345678 in ppa examples is a security risk

Bug #408175 reported by Martin Pool
This bug report is a duplicate of:  Bug #631868: Adding PPAs pop-up confusing. Edit Remove
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Launchpad itself
New
Undecided
Unassigned

Bug Description

The popup help on the PPA page says

> Step 2: Open your terminal and enter:
>
> sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 12345678
>
> Replace 12345678 with the key id you copied in step 1.

Users never read instructions therefore are likely to copy and paste the whole command. This will result in them trusting key 12345678 which does exist and is owned by some random person, not necessarily trustworthy. Why not just use the real ID, or show the real command inline in the page?

It's possible to apt-key remove it but people may not know how.

Also, the dialog explaining the instructions appears in the perfect place to obscure the data you need to have to use it. Please put it in a real browser window instead.

Also, the close button for this help window is just a little dot with no text.

Tags: lp-soyuz
Revision history for this message
Martin Pool (mbp) wrote :
visibility: private → public
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.