Allow signing for Personal Package Archives (PPA). APT does not use SSL, so there is no security. Someone could send you a modified package. I want to know if the package is really from this person I trust.
Yes, but just with trusted keys.
Anyone could create a priveate/public key pair, even George Bush - ok, he maybe not, but all other people with some brains, snd sign his/her ppa packages with it...
That would be as "secure" as non-signed ones.
With Launchpad's Personal Package Archives (PPA), you can build and publish binary Ubuntu packages for multiple architectures simply by uploading an Ubuntu source package to Launchpad. Every individual and team in Launchpad gets their own PPA.
Installing and uninstalling software from a PPA is just as easy as installing software from Ubuntu's primary archive. This makes it an ideal way to distribute beta versions, daily builds and other versions of your software for testing, without having to ask your testers to compile your software from source.
C'mon, Eldmannen, copy'n'paste from
does not help if the info about this idea is missing.
First you forgot the following:
"Important: when you install software from a PPA, Ubuntu will warn you that it is unsigned. PPA packages are unsigned because they are not official Ubuntu packages. You should make sure that you're confident in the PPA owner's abilities before you install their packages."
And second: we know that it is not possible - this idea is about ALLOWING it.
The warning from apt is triggered when the package is unsigned. If you set up your own repository on your own server you can sign your own packages, and if the user trusts the key (using the 'apt-key' command), no warning is presented. If the warning is meant only for non-official packages the code that triggers the warning should be changed.
The reason one would want to have signed packages from a PPA, is that they are using a connection vulnerable to man in the middle attacks. The only way to avoid such attacks would be to use signed packages, or by retrieving the packages over https (which lets you verify the identity of the server, etc).
wrote on the 22 Oct 08 at 14:22
According to bug #125103, a fix for this is in progress.
Information for those reluctant to this idea: You are missing the point. Signing a package doesn't say wheter you trust the packager or not, but rather if the package comes from where you requested it or if it was modified on its way to your PC.
wrote on the 18 Dec 08 at 15:33