From: aph Date: Sat, 11 Sep 1999 22:55:37 +0000 (+0000) Subject: pgp to rsa changes, 2.7.1 first cut X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=developers-reference.git;a=commitdiff_plain;h=8f9b616f9f3c3ded74506aa480dcd14ece70be38 pgp to rsa changes, 2.7.1 first cut git-svn-id: svn://anonscm.debian.org/ddp/manuals/trunk/developers-reference@839 313b444b-1b9f-4f58-a734-7bb04f332e8d --- diff --git a/common.ent b/common.ent index 9c18720..612e8c8 100644 --- a/common.ent +++ b/common.ent @@ -62,6 +62,7 @@ + listmaster@&lists-host;"> diff --git a/debian/changelog b/debian/changelog index beeddff..9c3790e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,13 @@ +developers-reference (2.7.1) unstable; urgency=low + + * Sec. "Registering as a Debian developer": we are transitioning away + from non-free PGP -- remove allusions to non-free software such as + PGPv2 or v5 insofar as possible; recommend use of DSA keys rather than + RSA + * Sec. "Maintaining Your Public Key": remove PGP-centric stuff + + -- Adam Di Carlo Sat, 11 Sep 1999 16:20:32 -0400 + developers-reference (2.7.0) unstable; urgency=low * developers-reference.sgml: separated out language-independant elements diff --git a/developers-reference.sgml b/developers-reference.sgml index 7391352..987c7d3 100644 --- a/developers-reference.sgml +++ b/developers-reference.sgml @@ -5,7 +5,7 @@ %commondata; - + @@ -159,7 +159,7 @@ Some mechanism by which we can verify your real-life identity. For example, any of the following mechanisms would suffice: -An RSA key signed by any well-known signature, such as: +An OpenPGP key signed by any well-known signature, such as: Any current Debian developer you have met in real life. @@ -172,48 +172,48 @@ address, and not you identity, is not sufficient. Alternatively, you may identify yourself with a scanned (or physically mailed) copy of any formal documents certifying your identity (such as a birth certificate, national ID card, U.S. Driver's License, etc.). -If emailed, please sign the mail with your PGP key. +If emailed, please sign the mail with your OpenPGP key.

-If you do not have an RSA key yet, generate one. Every developer needs -a RSA key in order to sign and verify package uploads. You should read -the PGP manual, since it has much important information which is -critical to its security. Many more security failures are due to -human error than to software failure or high-powered spy techniques. -See for more information on maintianing your -public key. -

-Debian uses pgp version 2.6 as its baseline standard. -You can use gpg or some other version of pgp -if and only if you can create an RSA key compatible with -pgp version 2.6. Note that we are also working on the -ability to use non-RSA keys, since RSA algorithms have patent -protection, but this is still in early stages. -

-Your RSA key must be at least 1024 bits long. There is no reason to -use a smaller key, and doing so would be much less secure. Your key -must be signed with at least your own user ID. This prevents user ID -tampering. You can do it by executing pgp -ks -your_userid. +If you do not have an OpenPGP key yet, generate one. Every developer +needs a OpenPGP key in order to sign and verify package uploads. You +should read the manual for the software you are using, since it has +much important information which is critical to its security. Many +more security failures are due to human error than to software failure +or high-powered spy techniques. See for more +information on maintianing your public key. +

+Debian uses the GNU Privacy Guard (package +gnupg version 1 or better as its baseline standard. +You can use some other implementation of OpenPGP as well. Note that +OpenPGP is a open standard based on . +

+The recommended public key algorithm for use in Debian development +work is the DSA (Digital Signature Standard). Other key types may be +used however. Your key length must be at least 1024 bits; there is no +reason to use a smaller key, and doing so would be much less secure. +Your key must be signed with at least your own user ID; this prevents +user ID tampering. gpg does this automatically.

Also remember that one of the names on your key must match the email address you list as the official maintainer for your packages. For instance, I set the maintainer of the developers-reference package to ``Adam Di Carlo -<aph@debian.org>''; therefore, one of the user IDs on my RSA key -is that same value, ``Adam Di Carlo <aph@debian.org>''. +<aph@debian.org>''; therefore, one of the user IDs on my key is +that same value, ``Adam Di Carlo <aph@debian.org>''.

-If your RSA key isn't on public key servers such as &pgp-keyserv;, +If your public key isn't on public key servers such as &pgp-keyserv;, please read the documentation available locally in &file-keyservs;. That document contains instructions on how to put your key on the public key servers. The New Maintainer Group will put your public key on the servers if it isn't already there.

Due to export restrictions by the United States government some Debian -packages, including pgp, have been moved to an ftp -site outside of the United States. You can find the current locations -of those packages at . +packages, including gnupg, are located on ftp sites +outside of the United States. You can find the current locations of +those packages at .

Some countries restrict the use of cryptographic software by their citizens. This need not impede one's activities as a Debian package @@ -229,18 +229,19 @@ available on public key servers, send a message to &email-new-maintainer; to register as an offical Debian developer so that you will be able to upload your packages. This message must contain all the information discussed above. The message must also -contain your RSA public key (extracted using pgp -kxa in the -case of PGP) for the database of keys which is distributed from , or the debian-keyring +contain your public key (extracted using gpg --armor --export +user_id in the case of gpg) for the +database of keys which is distributed from and the debian-keyring package. Please be sure to sign your request message with your chosen public key.

Once this information is received and processed, you should be contacted with information about your new Debian maintainer account. -If you don't hear anything within 7-14 days, please send a followup +If you don't hear anything within a month, please send a followup message asking if your original application was received. Do not re-send your original application, that will just confuse -the new-maintainer team. Please be patient, especially near release +the New Maintainer Group. Please be patient, especially near release points; mistakes do occasionally happen, and people do sometimes run out of volunteer time. @@ -263,8 +264,8 @@ post to that list and an experienced developer will volunteer to help. Be very careful with your private keys. Do not place them on any public servers or multiuser machines, such as master.debian.org. Back your keys up; keep a copy offline. -Read the documentation that comes with your software (either PGP or -GNUPG); read the . +Read the documentation that comes with your software; read the .

If you add or remove signatures from your public key, or add or remove user identities, you need to update the key servers and mail your