Launchpad Package Upload Improvements

FTP
Photo by Anton Lindqvist. Licence: CC BY 2.0.

Launchpad has an anonymous FTP server that people use to upload source packages to Ubuntu and their PPAs. When Launchpad processes the upload it does a huge number of checks, one of which is verifying the GPG signature on the upload’s .changes file.

One of the problems with this is that if there’s a problem with the signature, or there is no signature at all, Launchpad simply throws the upload away as it cannot be sure who uploaded the package. If it tried to send an email it would also quickly become a spam vector! (See bug 374019)

In today’s release, there is a brand new FTP server that will do preliminary GPG signature checks right in the FTP session itself. If you upload a package that is not signed properly, you’ll see a message that looks like this:

Uploading to launchpad (via ftp to ppa.launchpad.net):
Uploading hello_2.5-1ubuntu1.dsc: done.
Uploading hello_2.5-1ubuntu1.diff.gz: done.
Uploading hello_2.5-1ubuntu1_source.changes: 1k/2k550 (‘Changes file must be signed with a valid GPG signature: Verification failed 3 times: ["(7, 8, u\'Bad signature\')", "(7, 8, u\'Bad signature\')", "(7, 8, u\'Bad signature\')"] ‘,): Permission denied.
Note: This error might indicate a problem with your passive_ftp setting.
Please consult dput.cf(5) for details on this configuration option.

which means you get immediate feedback instead of your upload disappearing entirely!

As a bonus, this new FTP server also fixes another long-standing bug where uploads would hang with 1k left to go.

This checking is not available on the SFTP service yet, but we hope to implement that in the near future.

One Response to “Launchpad Package Upload Improvements”

  1. andrewsomething Says:

    Thank you! Ever since I switch to using the sftp option for Ubuntu uploads, I haven’t run into bug #251685. But I used to bang my head into it repeatedly. Very glad to hear that it’s finally been squashed!

Leave a Reply