X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=blobdiff_plain;ds=sidebyside;f=developers-reference.sgml;h=987c7d3824ed9403d83b3eb7f80f078409c19e21;hb=8f9b616f9f3c3ded74506aa480dcd14ece70be38;hp=73913529218fc2575f535b9d4c1450f30987136e;hpb=f11d311f2e52dd781eccf6f2b9eb15b4ed691d61;p=developers-reference.git
diff --git a/developers-reference.sgml b/developers-reference.sgml
index 7391352..987c7d3 100644
--- a/developers-reference.sgml
+++ b/developers-reference.sgml
@@ -5,7 +5,7 @@
%commondata;
-
+
@@ -159,7 +159,7 @@ Some mechanism by which we can verify your real-life identity. For
example, any of the following mechanisms would suffice:
-If you do not have an RSA key yet, generate one. Every developer needs
-a RSA key in order to sign and verify package uploads. You should read
-the PGP manual, since it has much important information which is
-critical to its security. Many more security failures are due to
-human error than to software failure or high-powered spy techniques.
-See for more information on maintianing your
-public key.
-
-Debian uses
-Your RSA key must be at least 1024 bits long. There is no reason to
-use a smaller key, and doing so would be much less secure. Your key
-must be signed with at least your own user ID. This prevents user ID
-tampering. You can do it by executing pgp -ks
-your_userid.
+If you do not have an OpenPGP key yet, generate one. Every developer
+needs a OpenPGP key in order to sign and verify package uploads. You
+should read the manual for the software you are using, since it has
+much important information which is critical to its security. Many
+more security failures are due to human error than to software failure
+or high-powered spy techniques. See for more
+information on maintianing your public key.
+
+Debian uses the
+The recommended public key algorithm for use in Debian development
+work is the DSA (Digital Signature Standard). Other key types may be
+used however. Your key length must be at least 1024 bits; there is no
+reason to use a smaller key, and doing so would be much less secure.
+Your key must be signed with at least your own user ID; this prevents
+user ID tampering.
Also remember that one of the names on your key must match the email
address you list as the official maintainer for your packages. For
instance, I set the maintainer of the
-If your RSA key isn't on public key servers such as &pgp-keyserv;,
+If your public key isn't on public key servers such as &pgp-keyserv;,
please read the documentation available locally in &file-keyservs;.
That document contains instructions on how to put your key on the
public key servers. The New Maintainer Group will put your public key
on the servers if it isn't already there.
Due to export restrictions by the United States government some Debian
-packages, including
Some countries restrict the use of cryptographic software by their
citizens. This need not impede one's activities as a Debian package
@@ -229,18 +229,19 @@ available on public key servers, send a message to
&email-new-maintainer; to register as an offical Debian developer so
that you will be able to upload your packages. This message must
contain all the information discussed above. The message must also
-contain your RSA public key (extracted using pgp -kxa in the
-case of PGP) for the database of keys which is distributed from
Once this information is received and processed, you should be
contacted with information about your new Debian maintainer account.
-If you don't hear anything within 7-14 days, please send a followup
+If you don't hear anything within a month, please send a followup
message asking if your original application was received. Do
not re-send your original application, that will just confuse
-the new-maintainer team. Please be patient, especially near release
+the New Maintainer Group. Please be patient, especially near release
points; mistakes do occasionally happen, and people do sometimes run
out of volunteer time.
@@ -263,8 +264,8 @@ post to that list and an experienced developer will volunteer to help.
Be very careful with your private keys. Do not place them on any
public servers or multiuser machines, such as
master.debian.org. Back your keys up; keep a copy offline.
-Read the documentation that comes with your software (either PGP or
-GNUPG); read the
If you add or remove signatures from your public key, or add or remove
user identities, you need to update the key servers and mail your