© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
From conversations on IRC, it seems this bug is different things to different people.
A couple of facts:
1) all Linaro images (rootfses and hwpacks) are already signed by a single GPG key which is per Offspring instance; there are separate .asc downloads for every image so that you can verify your download (if you have a trust path to this Offspring key).
2) while rootfses *might* currently include the PPA keys which were used to build the image (didn't check) the hwpacks do NOT include the PPA GPG keys of the repos used to build the hwpack.
I agree with James that it's quite some work to implement proper "builtin" (internal) signatures for hwpacks, it would be much less work to use the current external signatures (.asc). James is concerned that this makes an already complex process even more complex, but I think we would use our time better by making it easier to download Linaro bits (for instance by automation) rather than taking shortcuts on the security of hwpacks.