Adding upstream version 2023.12.24.upstream/2023.12.24

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 82 insertions, 0 deletions

diff --git a/cheatsheets/keyring/pulling_hkp_changes.txt b/cheatsheets/keyring/pulling_hkp_changes.txt
new file mode 100644
index 0000000..67969c6
--- /dev/null
+++ b/cheatsheets/keyring/pulling_hkp_changes.txt
@@ -0,0 +1,82 @@
+Pulling changes from the HKP server
+===================================
+
+We run a HKP (HTTP Keyserver Protocol) keyserver to allow for public
+querying on Debian keys and to allow DDs and DMs to update their keys,
+i.e., sending more signatures. Updating the keyrings from this HKP
+server is "pulling" HKP changes.
+
+There's a script call pull-updates that takes a keyring and a keyring
+dir, explodes the keyring and looks for keys that have changed, then
+calls update-key for each of them. This is a bit of a labour intensive
+task, but it does mean we don't automatically allow things like adding
+a new UID that's complete nonsense. I have some local patches to make
+it a bit easier in terms of automatically generating an update.log
+which is the same format as in the changelog of what was altered; I'll
+commit them at some point soon.
+
+So, to import the HKP updates, we pull the keyrings first from:
+
+    kaufmann.debian.org:/srv/keyring.debian.org/keyrings-new/debian-{keyring,nonupload,maintainers}.gpg
+
+and second, from:
+
+    kaufmann.debian.org:/srv/keyring.debian.org/pending-updates/debian-{keyring,nonupload,maintainers}.gpg
+
+$ scp kaufmann.debian.org:/srv/keyring.debian.org/keyrings-new/debian-{keyring,nonupload,maintainers}.gpg .
+debian-keyring.gpg        100%   30MB   2.5MB/s   00:12    
+debian-maintainers.gpg	  100% 1058KB 529.1KB/s   00:02    
+debian-maintainers.gpg	  100%   48KB  59.6KB/s   00:00    
+$ for i in keyring nonupload maintainers; do ./scripts/pull-updates debian-${i}.gpg debian-${i}-gpg/
+(...a long list of keys later...)
+Updated keys are:
+0x8351C3C268AC5746  0xE5273D986BE3C423  0xED1A3933B2CFCDD8
+gpg: keyring `/tmp/jetring.qGSB7NPt/secring.gpg' created
+gpg: keyring `/tmp/jetring.qGSB7NPt/pubring.gpg' created
+gpg: /tmp/jetring.qGSB7NPt/trustdb.gpg: trustdb created
+Running gpg-diff:
+0x8351C3C268AC5746 Robert Alan Larson <blarson>
+Are you sure you want to update this key? (y/n)
+y
+Updated key.
+gpg: keyring `/tmp/jetring.mHhg5onR/secring.gpg' created
+gpg: keyring `/tmp/jetring.mHhg5onR/pubring.gpg' created
+gpg: /tmp/jetring.mHhg5onR/trustdb.gpg: trustdb created
+Running gpg-diff:
+0xE5273D986BE3C423 Paul Wise <pabs>
+Are you sure you want to update this key? (y/n)
+y
+Updated key.
+gpg: keyring `/tmp/jetring.ZJnN1JpE/secring.gpg' created
+gpg: keyring `/tmp/jetring.ZJnN1JpE/pubring.gpg' created
+gpg: /tmp/jetring.ZJnN1JpE/trustdb.gpg: trustdb created
+Running gpg-diff:
+0xED1A3933B2CFCDD8 Philipp Kern <pkern>
+Are you sure you want to update this key? (y/n)
+y
+Updated key.
+
+In this process, we must check the changes we pull in "make sense" —
+keys should not add unrelated UIDs, weaker subkeys, or excessive
+amounts of signatures.
+
+A log of the changes is stored in updates.log:
+
+$ cat update.log
+0x8351C3C268AC5746 Robert Alan Larson <blarson>
+0xE5273D986BE3C423 Paul Wise <pabs>
+0xED1A3933B2CFCDD8 Philipp Kern <pkern>
+
+So, add the following to the changelog:
+
+  * Updates from keyring.debian.org HKP interface:
+    0x8351C3C268AC5746 Robert Alan Larson <blarson>
+    0xE5273D986BE3C423 Paul Wise <pabs>
+    0xED1A3933B2CFCDD8 Philipp Kern <pkern>
+
+Repeat the process for the other downloaded keyrings.
+
+After processing the second set of keys (at kaufmann's
+/srv/keyring.debian.org/pending-updates), the three keyrings should be
+removed (as they are checked to be empty when updating the keyrings at
+kaufmann -- see infrastructure/kaufmann.txt)