On Mon, Aug 10, 2009 at 10:25 AM, Martin Pool<[email protected]> wrote: > 2009/8/10 Celso Providelo <[email protected]>: >> I personally think that signing the PPA signing-key is wasteful and >> misleading, signers do not have any control on them, by signing a PPA >> signing-key we are merely confirming that you trust https, because >> that's the way you used to confirm that the key you signed was the one >> LP generated. >> >> An user decides to trust bzr-uploaders the moment he accesse the bzr >> PPA page and add it to his system, not because he is satisfied with >> the signatures the bzr PPA signing-key has, IMO. That's way different >> than Martin signing John's key because they've met during All Hands >> and IDs were checked. >> >> For all the effects LP is the central, and only, point of trust. If it >> gets compromised all signing keys will be revoked and new ones will be >> generated, users will be warned to drop & reload their PPA keys. > > Well, that's basically the point I tried to make in > <https://bugs.edge.launchpad.net/soyuz/+bug/410745> - but it's not the > first time it came up, and apparently it does worry people. If this > is how you're going to do it then maybe having a FAQ or Help page > explaining it would be good.
Martin, Right, I forgot to mention that I was *agreeing* with your original point :) I believe that improving the PPA Help section that explains how to get the signing-keys will suffice. I hope Matt Revell can help me to find the appropriate words for this. [] -- Celso Providelo <[email protected]> IRC: cprov, Jabber: [email protected], Skype: cprovidelo 1024D/681B6469 C858 2652 1A6E F6A6 037B B3F7 9FF2 583E 681B 6469 _______________________________________________ Mailing list: https://launchpad.net/~launchpad-dev Post to : [email protected] Unsubscribe : https://launchpad.net/~launchpad-dev More help : https://help.launchpad.net/ListHelp
