We can't really use the traditional web of trust. I trust some Launchpad PPAs, but not others, so I can't just trust any key that Launchpad has signed. The only thing add-apt-repository could do is use a local key to automatically sign when someone requests that a new repository be added, which isn't much less messy than what we have today.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1016643 Title: add-apt-repository downloads gpg key in an insecure fashion To manage notifications about this bug go to: https://bugs.launchpad.net/gnupg/+bug/1016643/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
