<!-- common, language independant entities -->
<!entity % commondata SYSTEM "common.ent" > %commondata;
<!-- CVS revision of this document -->
- <!entity cvs-rev "$Revision: 1.35 $">
+ <!entity cvs-rev "$Revision: 1.36 $">
<!-- if you are translating this document, please notate the RCS
revision of the developers reference here -->
example, any of the following mechanisms would suffice:
<list>
<item>
-An RSA key signed by any well-known signature, such as:
+An OpenPGP key signed by any well-known signature, such as:
<list>
<item>
Any current Debian developer you have met <em>in real life</em>.
Alternatively, you may identify yourself with a scanned (or physically
mailed) copy of any formal documents certifying your identity (such as
a birth certificate, national ID card, U.S. Driver's License, etc.).
-If emailed, please sign the mail with your PGP key.
+If emailed, please sign the mail with your OpenPGP key.
</list>
</list>
<p>
-If you do not have an RSA key yet, generate one. Every developer needs
-a RSA key in order to sign and verify package uploads. You should read
-the PGP manual, since it has much important information which is
-critical to its security. Many more security failures are due to
-human error than to software failure or high-powered spy techniques.
-See <ref id="key-maint"> for more information on maintianing your
-public key.
- <p>
-Debian uses <prgn>pgp</prgn> version 2.6 as its baseline standard.
-You can use <prgn>gpg</prgn> or some other version of <prgn>pgp</prgn>
-if and only if you can create an RSA key compatible with
-<prgn>pgp</prgn> version 2.6. Note that we are also working on the
-ability to use non-RSA keys, since RSA algorithms have patent
-protection, but this is still in early stages.
- <p>
-Your RSA key must be at least 1024 bits long. There is no reason to
-use a smaller key, and doing so would be much less secure. Your key
-must be signed with at least your own user ID. This prevents user ID
-tampering. You can do it by executing <tt>pgp -ks
-<var>your_userid</var></tt>.
+If you do not have an OpenPGP key yet, generate one. Every developer
+needs a OpenPGP key in order to sign and verify package uploads. You
+should read the manual for the software you are using, since it has
+much important information which is critical to its security. Many
+more security failures are due to human error than to software failure
+or high-powered spy techniques. See <ref id="key-maint"> for more
+information on maintianing your public key.
+ <p>
+Debian uses the <prgn>GNU Privacy Guard</prgn> (package
+<package>gnupg</package> version 1 or better as its baseline standard.
+You can use some other implementation of OpenPGP as well. Note that
+OpenPGP is a open standard based on <url id="&url-rfc2440;" name="RFC
+2440">.
+ <p>
+The recommended public key algorithm for use in Debian development
+work is the DSA (Digital Signature Standard). Other key types may be
+used however. Your key length must be at least 1024 bits; there is no
+reason to use a smaller key, and doing so would be much less secure.
+Your key must be signed with at least your own user ID; this prevents
+user ID tampering. <prgn>gpg</prgn> does this automatically.
<p>
Also remember that one of the names on your key must match the email
address you list as the official maintainer for your packages. For
instance, I set the maintainer of the
<package>developers-reference</package> package to ``Adam Di Carlo
-<aph@debian.org>''; therefore, one of the user IDs on my RSA key
-is that same value, ``Adam Di Carlo <aph@debian.org>''.
+<aph@debian.org>''; therefore, one of the user IDs on my key is
+that same value, ``Adam Di Carlo <aph@debian.org>''.
<p>
-If your RSA key isn't on public key servers such as &pgp-keyserv;,
+If your public key isn't on public key servers such as &pgp-keyserv;,
please read the documentation available locally in &file-keyservs;.
That document contains instructions on how to put your key on the
public key servers. The New Maintainer Group will put your public key
on the servers if it isn't already there.
<p>
Due to export restrictions by the United States government some Debian
-packages, including <package>pgp</package>, have been moved to an ftp
-site outside of the United States. You can find the current locations
-of those packages at <url id="&url-readme-non-us;">.
+packages, including <package>gnupg</package>, are located on ftp sites
+outside of the United States. You can find the current locations of
+those packages at <url id="&url-readme-non-us;">.
<p>
Some countries restrict the use of cryptographic software by their
citizens. This need not impede one's activities as a Debian package
&email-new-maintainer; to register as an offical Debian developer so
that you will be able to upload your packages. This message must
contain all the information discussed above. The message must also
-contain your RSA public key (extracted using <tt>pgp -kxa</tt> in the
-case of PGP) for the database of keys which is distributed from <url
-id="url-debian-keyring;">, or the <package>debian-keyring</package>
+contain your public key (extracted using <tt>gpg --armor --export
+<var>user_id</var></tt> in the case of <prgn>gpg</prgn>) for the
+database of keys which is distributed from <url
+id="url-debian-keyring;"> and the <package>debian-keyring</package>
package. Please be sure to sign your request message with your chosen
public key.
<p>
Once this information is received and processed, you should be
contacted with information about your new Debian maintainer account.
-If you don't hear anything within 7-14 days, please send a followup
+If you don't hear anything within a month, please send a followup
message asking if your original application was received. Do
<em>not</em> re-send your original application, that will just confuse
-the new-maintainer team. Please be patient, especially near release
+the New Maintainer Group. Please be patient, especially near release
points; mistakes do occasionally happen, and people do sometimes run
out of volunteer time.
Be very careful with your private keys. Do not place them on any
public servers or multiuser machines, such as
<tt>master.debian.org</tt>. Back your keys up; keep a copy offline.
-Read the documentation that comes with your software (either PGP or
-GNUPG); read the <url id="&url-pgp-faq;" name="PGP FAQ">.
+Read the documentation that comes with your software; read the <url
+id="&url-pgp-faq;" name="PGP FAQ">.
<p>
If you add or remove signatures from your public key, or add or remove
user identities, you need to update the key servers and mail your
~ianmdlvl / developers-reference.git / commitdiff