5 files changed, 309 insertions, 0 deletions
diff --git a/cheatsheets/keyring/adding_dd.txt b/cheatsheets/keyring/adding_dd.txt
new file mode 100644
index 0000000..830c61b
--- /dev/null
+++ b/cheatsheets/keyring/adding_dd.txt
@@ -0,0 +1,2 @@
+Adding a DD key
+===============
diff --git a/cheatsheets/keyring/adding_dm.txt b/cheatsheets/keyring/adding_dm.txt
new file mode 100644
index 0000000..5a03ca3
--- /dev/null
+++ b/cheatsheets/keyring/adding_dm.txt
@@ -0,0 +1,95 @@
+Adding a DM key
+===============
+
+- Request must be signed by somebody in the DM team (currently:
+  anibal, enrico, xoswald). Always check it has been signed by them
+  using their currently registered Debian key!
+
+- Request must include:
+  - Full DM key fingerprint
+  - Agreement URL (message sent by prospective DM where he agrees with
+    DFSG, SC, DMUP, and giving an overview of his current work in
+    Debian) 
+  - One or more DD advocates (messages signed by DDs confirming
+    applicant has done Debian work and requesting him to be accepted)
+  - It _may_ also include a bug number (in the regular Debian BTS)
+    that should be closed when the request is dealt with. If so, close
+    it in debian/changelog.
+
+- Procedure:
+
+  I am following the request for Javier Merino (RT #2466). Of course,
+  replace keys with adequate values.
+
+  $ gpg --verify < (copy of RT message)
+  (...)
+  gpg: Signature made Thu 26 Aug 2010 01:14:41 PM CDT using RSA key ID 464B8DE3
+  gpg: Good signature from "Xavier Oswald <xoswald@debian.org>"
+  gpg:                 aka "Xavier Oswald <x.oswald@free.fr>"
+  gpg:                 aka "Xavier Oswald <xoswald@gmail.com>"
+  gpg: WARNING: This key is not certified with a trusted signature!
+  gpg:          There is no indication that the signature belongs to the owner.
+  Primary key fingerprint: DE46 8D1D 2744 CF28 5431  1CD7 85B9 0D23 464B 8DE3
+      # I have never met xoswald, but «grep 464B8DE3 keyids» gives me
+      # «0x85B90D23464B8DE3 Xavier Oswald <xoswald>» and verifying
+      # the fingerprint matches
+
+  $ gpg --keyserver $KEYSERVER --recv-key 6B1BAEC2CA5D4EA7439803612DCE3F2836D4E4F5
+  gpg: requesting key 36D4E4F5 from hkp server nisamox.fciencias.unam.mx
+  gpg: key 36D4E4F5: public key "Javier Merino Cacho <javier.merino@alumnos.unican.es>" imported
+  gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model
+  gpg: depth: 0  valid:   3  signed: 163  trust: 0-, 0q, 0n, 0m, 0f, 3u
+  gpg: depth: 1  valid: 163  signed: 405  trust: 154-, 0q, 0n, 5m, 4f, 0u
+  gpg: depth: 2  valid:  12  signed:  99  trust: 12-, 0q, 0n, 0m, 0f, 0u
+  gpg: next trustdb check due at 2010-09-10
+  gpg: Total number processed: 1
+  gpg:               imported: 1
+
+  $ gpg --export 6B1BAEC2CA5D4EA7439803612DCE3F2836D4E4F5 > /tmp/key
+
+  $ ./scripts/add-key /tmp/key debian-maintainers-gpg/
+  (...)
+      # A screen listing all of the applicant's signatures which are
+      # in the Debian keyring appears. At very least, one DD should
+      # have signed his key, unless specific reasons
+      # (i.e. geographical) have been already discussed. Take note of
+      # the respective key IDs. If they are too many, just note the
+      # first four or five, in this case: 5D8CDA7B 74974824 95930EDE
+      # E1C21845 
+  Are you sure you want to update this key? (y/n)
+  y
+  adding debian-maintainers-gpg/0x2DCE3F2836D4E4F5
+
+      # Note this addition in debian/changelog - Just make sure before
+      # doing this you are not modifying an already uploaded changelog
+      # entry! 
+  $ dch -a 'Add new DM key 0x2DCE3F2836D4E4F5 (Javier Merino) (RT #2466) (Closes: #593475)'
+
+  $ git commit
+      # And that's it. For the VCS log, we use the following format:
+------------------------------------------------------------
+Add new DM key $DM_KEY ($DM_NAME) (RT #$RT_NUM)
+
+Add new DM key $DM_KEY as requested by DM team ($PERSON)
+  Signed by existing DD keys: $SIGN1 $SIGN2 $SIGN3 $SIGNN
+Agreement:
+  $AGREE_URL
+Advocates:
+  $DD1_ACCOUNT - $ADVOCATE1_URL
+  $DD2_ACCOUNT - $ADVOCATE2_URL
+  $DD3_ACCOUNT - $ADVOCATE3_URL
+------------------------------------------------------------
+
+i.e.
+
+------------------------------------------------------------
+Add new DM key 0x2DCE3F2836D4E4F5 (Javier Merino) (RT #2466)
+
+Add new DM key 0x2DCE3F2836D4E4F5 as requested by DM team (xoswald)
+  Signed by existing DD keys: 5D8CDA7B 74974824 95930EDE E1C21845
+Agreement:
+  http://lists.debian.org/debian-newmaint/2010/08/msg00020.html
+Advocates:
+  vdanjean - http://lists.debian.org/debian-newmaint/2010/08/msg00021.html
+------------------------------------------------------------
+
diff --git a/cheatsheets/keyring/pulling_hkp_changes.txt b/cheatsheets/keyring/pulling_hkp_changes.txt
new file mode 100644
index 0000000..bdeb1cd
--- /dev/null
+++ b/cheatsheets/keyring/pulling_hkp_changes.txt
@@ -0,0 +1,67 @@
+Pulling changes from the HKP server
+===================================
+
+We run a HKP (HTTP Keyserver Protocol) keyserver to allow for public
+querying on Debian keys and to allow DDs and DMs to update their keys,
+i.e., sending more signatures. Updating the keyrings from this HKP
+server is "pulling" HKP changes.
+
+There's a script call pull-updates that takes a keyring and a keyring
+dir, explodes the keyring and looks for keys that have changed, then
+calls update-key for each of them. This is a bit of a labour intensive
+task, but it does mean we don't automatically allow things like adding
+a new UID that's complete nonsense. I have some local patches to make
+it a bit easier in terms of automatically generating an update.log
+which is the same format as in the changelog of what was altered; I'll
+commit them at some point soon.
+
+So, to import the HKP updates:
+
+$ scp kaufmann.debian.org:/srv/keyring.debian.org/keyrings-new/debian-{keyring,nonupload,maintainers}.gpg .
+debian-keyring.gpg        100%   30MB   2.5MB/s   00:12    
+debian-maintainers.gpg	  100% 1058KB 529.1KB/s   00:02    
+debian-maintainers.gpg	  100%   48KB  59.6KB/s   00:00    
+$ ./scripts/pull-updates debian-keyring.gpg debian-keyring-gpg/
+(...a long list of keys later...)
+Updated keys are:
+0x8351C3C268AC5746  0xE5273D986BE3C423  0xED1A3933B2CFCDD8
+gpg: keyring `/tmp/jetring.qGSB7NPt/secring.gpg' created
+gpg: keyring `/tmp/jetring.qGSB7NPt/pubring.gpg' created
+gpg: /tmp/jetring.qGSB7NPt/trustdb.gpg: trustdb created
+Running gpg-diff:
+0x8351C3C268AC5746 Robert Alan Larson <blarson>
+Are you sure you want to update this key? (y/n)
+y
+Updated key.
+gpg: keyring `/tmp/jetring.mHhg5onR/secring.gpg' created
+gpg: keyring `/tmp/jetring.mHhg5onR/pubring.gpg' created
+gpg: /tmp/jetring.mHhg5onR/trustdb.gpg: trustdb created
+Running gpg-diff:
+0xE5273D986BE3C423 Paul Wise <pabs>
+Are you sure you want to update this key? (y/n)
+y
+Updated key.
+gpg: keyring `/tmp/jetring.ZJnN1JpE/secring.gpg' created
+gpg: keyring `/tmp/jetring.ZJnN1JpE/pubring.gpg' created
+gpg: /tmp/jetring.ZJnN1JpE/trustdb.gpg: trustdb created
+Running gpg-diff:
+0xED1A3933B2CFCDD8 Philipp Kern <pkern>
+Are you sure you want to update this key? (y/n)
+y
+Updated key.
+
+A log of the changes is stored in updates.log:
+
+$ cat update.log
+0x8351C3C268AC5746 Robert Alan Larson <blarson>
+0xE5273D986BE3C423 Paul Wise <pabs>
+0xED1A3933B2CFCDD8 Philipp Kern <pkern>
+
+So, add the following to the changelog:
+
+  * Updates from keyring.debian.org HKP interface:
+    0x8351C3C268AC5746 Robert Alan Larson <blarson>
+    0xE5273D986BE3C423 Paul Wise <pabs>
+    0xED1A3933B2CFCDD8 Philipp Kern <pkern>
+
+Repeat the process for the other downloaded keyrings
diff --git a/cheatsheets/keyring/removing_dd_key.txt b/cheatsheets/keyring/removing_dd_key.txt
new file mode 100644
index 0000000..a416e7d
--- /dev/null
+++ b/cheatsheets/keyring/removing_dd_key.txt
@@ -0,0 +1,36 @@
+Removing a DD key
+=================
+
+Some more verbosity would not hurt... Anyway, little is better than none.
+
+- Emeritus
+
+| # Deal with RT #142
+| # Straightforward resignation, debian-private mail confirmed,
+| # move key to emeritus
+| ./script/move-key 0xFCF6DD4539CCF0C7 emeritus-keyring-gpg/
+
+The move-key script will move the key from any of the active keyrings
+it is currently located on.
+
+If the key is not moved due to the maintainer explicitly resigning
+(i.e. expelled, deceased, MIA), the key should be removed entirely.
+
+Changelog entry:
+------------------------------------------------------------
+  * Move 0xFCF6DD4539CCF0C7 (Akira TAGOH) to emeritus (RT #142)
+------------------------------------------------------------
+
+Commit message:
+------------------------------------------------------------
+Move 0xFCF6DD4539CCF0C7 (Akira TAGOH) to emeritus (RT #142)
+  
+    Akira has retired from Debian.
+    Message-Id: <20070731.194218.174801666.tagoh@debian.org>
+------------------------------------------------------------
+
+- MIA
+
+Eventually, the MIA team comes up with a list of people not answering
+to the WAT ping (Where Are They?). The main difference for us is that,
+instead of moving the key to emeritus-keyring-gpg, it is removed entirely.
diff --git a/cheatsheets/keyring/updating_dd_key.txt b/cheatsheets/keyring/updating_dd_key.txt
new file mode 100644
index 0000000..46f4456
--- /dev/null
+++ b/cheatsheets/keyring/updating_dd_key.txt
@@ -0,0 +1,109 @@
+Updating a DD key
+=================
+
+- Key updates should be for a reason (i.e. lost control of earlier
+  key, or moving to stronger key).
+
+- Request must include:
+  - Old key (full fingerprint)
+  - New key (full fingerprint)
+  - Inline signature with OLD key
+
+- New key must be signed by at least two DDs (and more if possible);
+  if the old key is particularly well connected, we have requested the
+  person to get more signatures in order to avoid weakening the
+  overall web of trust. The new key must also be signed with the old
+  one (except in cases, say, where the old one was lost).
+
+- Procedure
+
+  I am following the request for Giovanni Mascellani (RT #2473). Of
+  course, replace keys with adequate values. As you can see, this
+  request mentioned only the key IDs, so full fingerprint was
+  requested. 
+
+      # Before anything else, retrieve both keys, to be able to do the
+      # following checks
+  $ gpg --keyserver $KEYSERVER --recv-key \
+      1EB63D43E2014DDF67BD003FFCB0BB5C5F1FBF70 \
+      82D119A840C6EFCA6F5AF9459EDCC991D9AB457E
+  gpg: requesting key 5F1FBF70 from hkp server nisamox.fciencias.unam.mx
+  gpg: requesting key D9AB457E from hkp server nisamox.fciencias.unam.mx
+  gpg: key 5F1FBF70: public key "Giovanni Mascellani (Poisson)
+        # <mascellani@poisson.phc.unipi.it>" imported
+  gpg: key D9AB457E: public key "Giovanni Mascellani
+        # <mascellani@poisson.phc.unipi.it>" imported
+  gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model
+  gpg: depth: 0  valid:   3  signed: 163  trust: 0-, 0q, 0n, 0m, 0f, 3u
+  gpg: depth: 1  valid: 163  signed: 409  trust: 154-, 0q, 0n, 5m, 4f,
+        # 0u
+  gpg: depth: 2  valid:  12  signed:  99  trust: 12-, 0q, 0n, 0m, 0f, 0u
+  gpg: next trustdb check due at 2010-09-10
+  gpg: Total number processed: 2
+  gpg:               imported: 2  (RSA: 1)
+
+  $ gpg --verify < (copy of RT message)
+  (...)
+  gpg: Signature made Sun 29 Aug 2010 07:30:03 AM CDT using RSA key ID E1889B00
+  gpg: Good signature from "Giovanni Mascellani (Poisson) <mascellani@poisson.phc.unipi.it>"
+  gpg:                 aka "Giovanni Mascellani <gio@debian.org>"
+  gpg:                 aka "Giovanni Mascellani <g.mascellani@gmail.com>"
+  gpg:                 aka "Giovanni Mascellani <g.mascellani@tiscali.it>"
+  gpg:                 aka "Giovanni Mascellani (DM) <mascellani@mail.dm.unipi.it>"
+  gpg:                 aka "Giovanni Mascellani (SNS) <giovanni.mascellani@sns.it>"
+  gpg:                 aka "[jpeg image of size 8171]"
+  gpg: WARNING: This key is not certified with a trusted signature!
+  gpg:          There is no indication that the signature belongs to the owner.
+  Primary key fingerprint: 1EB6 3D43 E201 4DDF 67BD  003F FCB0 BB5C 5F1F BF70
+       Subkey fingerprint: 409F 2383 802D B40C CA04  9AF9 810A 9F69 E188 9B00
+
+  - Helper script
+
+    We have a script called "replace-key". When called, it takes care to
+    do all of the steps described from here until the commit step.
+
+    You should call it using both keys' long (64 bit) keyids:
+
+    $ ./script/replace-key FCB0BB5C5F1FBF70 9EDCC991D9AB457E
+
+
+  $ gpg --export D9AB457E > /tmp/key
+      # DD keys (past and present), names and identities are kept in
+      # the plaintext file 'keyids' - Confirm and get the requester's
+      # Debian account name in case it's not listed as one of the
+      # identities 
+
+  $ grep 5F1FBF70 keyids 
+  0xFCB0BB5C5F1FBF70 Giovanni Mascellani <gio>
+      # Old keys are removed from the repository.
+
+  $ git rm debian-keyring-gpg/0xFCB0BB5C5F1FBF70
+  rm 'debian-keyring-gpg/0xFCB0BB5C5F1FBF70'
+
+  $ ./scripts/add-key /tmp/key debian-keyring-gpg/
+      # A screen listing all of the requester's signatures which are
+      # in the Debian keyring appears. At very least, two DD should
+      # have signed his key, unless specific reasons
+      # (i.e. geographical) have been already discussed. Take note of
+      # the respective key IDs. If they are too many, just note the
+      # first four or five, in this case: F2C423BC 33FC40A4.
+      # Also take note that the old key (5F1FBF70) has also signed
+      # it. 
+  Are you sure you want to update this key? (y/n)
+  y
+  adding debian-keyring-gpg/0x9EDCC991D9AB457E
+  Enter full name of new key: Giovanni Mascellani
+  Enter Debian login of new key: gio
+
+      # Note this addition in debian/changelog - Just make sure before
+      # doing this you are not modifying an already uploaded changelog
+      # entry! 
+  $ dch -a 'Replace 0xFCB0BB5C5F1FBF70 with 0x9EDCC991D9AB457E (Giovanni Mascellani) (RT #2473)'
+
+- Git commit
+
+  In order for the parse-git-changelog script to work, we adhere to
+  machine-parsable information in the changelog. If you used the
+  replace-key script, you will find it creates a git-commit-template
+  file. It just needs you to fill in the Debian user IDs for the
+  New-key-certified-by field.