Is there a bug here? I don't think we can expect the users to
grant trust on the basis of some hexadecimal numbers...
Actually, they can grant trust based on those numbers because users should verify those signers are trusted, eg by checking whether the ids are matching some verified keys in some external PGP services.
But indeed, the UI is still rough and still needs to be improved.
Where/what is the best way for asking question and for discussing
the implementation details? I posted on platform-dev because the
entire platform is affected by these design decisions, but perhaps
I should restrict this to p2-dev or elsewhere?
Bugs against p2 are the best channel IMO.
I expect there is a concern about the size of many such the
duplicates keys, but with both jar and *.xz compression that isn't
really so much a problem. I.e., 1000 copies of the key has
minimal impact on the size compressed artifacts as seen here where
the artifacts.xml has 1000 copies of the key:
OK, I probably made a wrong estimation back then, and maybe adding the signer key to each artifact would be preferable.
And even the
org.eclipse.equinox.p2.tests.engine.CertificateCheckerTest.testPGPSignedArtifactUntrustedKey()
test works that way...
Yes, this is supposed to work with key as artifact property. The metrics you shared seem to highlight it would be a better approach, so please open a bug to Platform/Releng so we can try to improve that.