New domain names for PPAs

Since they were introduced in 2007, Launchpad’s Personal Package Archives (PPAs) have always been hosted on ppa.launchpad.net. This has generally worked well, but one significant snag became clear later on: it was difficult to add HTTPS support for PPAs due to the way that cookies work on the web.

Launchpad uses a cookie for your login session, which is of course security-critical, and because we use multiple domain names for the main web application (bugs.launchpad.net, code.launchpad.net, and so on), the session cookie domain has to be set to allow subdomains of launchpad.net. We set the “Secure” flag on session cookies to ensure that browsers only ever send them over HTTPS, as well as the “HttpOnly” flag to prevent direct access to it from JavaScript; but there are still ways in which arbitrary JS on an HTTPS subdomain of launchpad.net might be able to exfiltrate or abuse users’ session cookies. As a result, we can never allow any HTTPS subdomain of launchpad.net to publish completely user-generated HTML that we don’t process first.

We don’t currently know of a way to get ppa.launchpad.net to serve arbitrary HTML as Content-Type: text/html, but this is quite a brittle protection as there are certainly ways (used for things like installer uploads) to upload arbitrary files to ppa.launchpad.net under a user-controlled directory structure, and we don’t want the webapp’s security to depend on nobody figuring out how to convince a browser to interpret any of that as arbitrary HTML. The librarian is already on a separate launchpadlibrarian.net domain name for a similar reason.

To resolve this dilemma, we’ve added a new ppa.launchpadcontent.net domain name which supports both HTTP and HTTPS (and similarly private-ppa.launchpadcontent.net for private PPAs, which as before is HTTPS-only). add-apt-repository in Ubuntu 22.04 will use the new domain name by default.

The old names will carry on working indefinitely – we know they’re embedded in lots of configuration and scripts, and we have no inclination to break all of those – but we recommend moving to the new names where possible. ppa.launchpad.net will remain HTTP-only.

Some systems may need to be updated to support the new domain name, particularly things like HTTP(S) proxy configuration files and no_proxy environment variables.

Tags: , ,

5 Responses to “New domain names for PPAs”

  1. CARLOS VALENTE Says:

    Dear PPA owner!

    Thank you for your work on the AppName.
    It would be great if you create the package for it for Ubuntu
    https://ppa.launchpadcontent.net/rock-core/qt4/ubuntu jammy Release
    release.

    With best re

  2. No Ping Says:

    Aha, so, do your recent changes explain why ping-ing “ppa.launchpad.net” now gives 100% packet loss, yeah? (The ping stage of my update-script started showing this 100% packet loss, although the actual apt-get update and download of .deb files proceeded OK.)

  3. Clay Says:

    Will add-apt-repository in Ubunutu 22.04 also use signed-by instead of apt-key add?

  4. Colin Watson Says:

    No Ping: Sorry for not noticing this comment until now in the enormous flood of spam. We fixed the lack of ICMP in our new deployment a while later – revision control history suggests it would have been around June 2022.

  5. Colin Watson Says:

    CARLOS VALENTE: Please refer this sort of question to the owner of the PPA in question – we only provide hosting.

Leave a Reply