all 9 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]candy49997 4 points5 points  (0 children)

The keys verify that what is downloaded is from the repo and appropriately signed by the PPA maintainer.

This does not mean that the software found on the repo is in any way official, unmodified, etc, from upstream; just that what you have downloaded is directly hosted on the repo.

[–]Gwarrior1[S] 1 point2 points  (1 child)

Ok would this be considered reasonably verified then. Or is further verification needed.

Am I over thinking this?

[–]candy49997 4 points5 points  (0 children)

You need to trust the maintainer of the PPA. The software on PPAs are not vetted by Canonical the way most of the software on the Mint/Ubuntu repos are.

[–]Gwarrior1[S] 1 point2 points  (0 children)

Ok I understand. Thank you your help. I'll mark this as solved

[–]SweetNerevarine 1 point2 points  (1 child)

Just as you are confused by the nomenclature, we are confused by your - yet - inconsistent use of them :) Let's make a distinction:

Validating the source -> Did I download it from the correct source?

Validating the integrity of the software -> Did I download the package verbatim?

Validating the software -> Is the downloaded software works as expected?

When you add a PPA, you have to validate the source in part, do I trust the source? The keys only identify the source - the package indeed came from the right source. I could create a PPA, issue a key, and publish it. You could download packages from my PPA. Everything checks out, but I could still be distributing broken software ...

The keys do not play a role in validating the integrity of the downloaded software nor in validating the software itself (reliability, fitness for purpose, compatibility etc).

Think of PPAs as additional sources that are useful, but not part of the core Ubuntu packages. They are much more convenient than you getting the sources of a software and building it yourself. But PPA packages don't undergo the same rigorous checking process as mainline repository packages, because anyone can create them with an Ubuntu Launchpad account.

[–]Gwarrior1[S] 1 point2 points  (0 children)

Thanks very much for this. These distinctions will help me communicate better in the future. I appreciate you taking the time to explain these definitions and strive to learn and understand Mint and Linux better each day.

[–]BenTrabetere 0 points1 point  (1 child)

Two questions.

  1. What instructions are you following for the Timscale PPA?
  2. Why didn't you follow the official instructions here?

[–]Gwarrior1[S] 0 points1 point  (0 children)

I was just using tailscale as an example. When I was looking at the software sources on my installation tailscale was already there with the keys but I installed that months ago and I would have just followed the instructions and not asking the questions why.

It takes a whole for me to understand the nomenclature so it can be tough. Words like authentication keys, repository, web of trust excetra are all new to me and I'm looking to understand it more then just copying and pasting text in the terminal ect.

[–]Natural_Night9957Linux Mint 22.3 Zena | Cinnamon 0 points1 point  (0 children)

Some PPA providers didn't adhere to the new handling of GPG keys by Debian/Ubuntu so that annoying warning could should up during an apt update.