New domain names for PPAs

Since they were introduced in 2007, Launchpad’s Personal Package Archives (PPAs) have always been hosted on This has generally worked well, but one significant snag became clear later on: it was difficult to add HTTPS support for PPAs due to the way that cookies work on the web.

Launchpad uses a cookie for your login session, which is of course security-critical, and because we use multiple domain names for the main web application (,, and so on), the session cookie domain has to be set to allow subdomains of We set the “Secure” flag on session cookies to ensure that browsers only ever send them over HTTPS, as well as the “HttpOnly” flag to prevent direct access to it from JavaScript; but there are still ways in which arbitrary JS on an HTTPS subdomain of might be able to exfiltrate or abuse users’ session cookies. As a result, we can never allow any HTTPS subdomain of to publish completely user-generated HTML that we don’t process first.

We don’t currently know of a way to get to serve arbitrary HTML as Content-Type: text/html, but this is quite a brittle protection as there are certainly ways (used for things like installer uploads) to upload arbitrary files to under a user-controlled directory structure, and we don’t want the webapp’s security to depend on nobody figuring out how to convince a browser to interpret any of that as arbitrary HTML. The librarian is already on a separate domain name for a similar reason.

To resolve this dilemma, we’ve added a new domain name which supports both HTTP and HTTPS (and similarly for private PPAs, which as before is HTTPS-only). add-apt-repository in Ubuntu 22.04 will use the new domain name by default.

The old names will carry on working indefinitely – we know they’re embedded in lots of configuration and scripts, and we have no inclination to break all of those – but we recommend moving to the new names where possible. will remain HTTP-only.

Some systems may need to be updated to support the new domain name, particularly things like HTTP(S) proxy configuration files and no_proxy environment variables.

Tags: , ,

Leave a Reply