summaryrefslogtreecommitdiffstats
path: root/README
diff options
context:
space:
mode:
Diffstat (limited to 'README')
-rw-r--r--README198
1 files changed, 198 insertions, 0 deletions
diff --git a/README b/README
new file mode 100644
index 0000000..e2f42c6
--- /dev/null
+++ b/README
@@ -0,0 +1,198 @@
+README for the debian-keyring package
+=====================================
+
+
+Introduction
+------------
+
+The Debian project wants developers to digitally sign the
+announcements of their packages, to protect against forgeries. The
+Debian project maintains OpenPGP keyrings with keys of
+Debian developers. This is the README for these keyrings.
+
+
+Background: OpenPGP and GnuPG
+-----------------------------
+
+OpenPGP is a cryptographic standard that defines certificate formats,
+signature formats, and encryption formats. For debian, we rely
+heavily on the signature formats, and we keep our developers'
+credentials in OpenPGP certificate formats, aggregated into
+"keyrings", which are just concatenated files of OpenPGP certificates.
+
+These keyrings have a suffix of .gpg, reflecting our use of GnuPG (the
+GNU Privacy Guard), the most widely-used free software implementation
+of OpenPGP.
+
+Some older OpenPGP implementations used cryptography that is now
+considered weak, so we strongly encourage you to migrate to a strong
+(2048 bit or greater, current standard is 4096, RSA-based) OpenPGP
+key.
+
+Getting debian-keyring.gpg
+--------------------------
+
+The current version of debian-keyring.gpg is always available via
+rsync from keyring.debian.org (module keyrings).
+
+There is also a (possibly slightly out-of-date) version available on
+your nearest debian mirror in debian/doc/debian-keyring.tar.gz and as
+the debian-keyring package.
+
+The rsync area on keyring.debian.org is the canonical location for
+keyrings and it is what the Debian installer program (dinstall) uses.
+If your key is available from there, it will be seen by dinstall. The
+tarball and Debian package are provided for user convenience and are
+not necessarily in sync with keyring.debian.org.
+
+That file contains the keyrings, signed copy of keyring md5sums and
+this README. The keyring md5sums will be signed by the keyring-maint
+team (currently, Jonathan McDowell, Gunnar Wolf, and Daniel Kahn
+Gillmor).
+
+Using the debian-keyring with gpg
+---------------------------------
+
+Add these lines to the bottom of your ~/.gnupg/gpg.conf[1] file:
+
+keyring /usr/share/keyrings/debian-keyring.gpg
+
+GPG cannot modify keys in these root-owned files. In order to edit or
+sign keys in the Debian keyring you will first need to import them to
+your personal keyring. If ~/.gnupg/gpg.conf lists the debian-keyring
+files, keys already in the Debian keyring will not be imported to your
+personal keyring. You can use "gpg --no-options --import" to force
+GPG to ignore gpg.conf and import keys to your personal keyring only.
+
+It is also possible to use public keyservers on the net directly. This
+requires that you have a working internet connection.
+Add a line to your ~/.gnupg/gpg.conf[1] file such as:
+
+keyserver pool.sks-keyservers.net
+
+or
+
+keyserver keyring.debian.org
+
+Generate a key pair
+-------------------
+
+GPG is used for security, and security can be a bit tricky. You might
+find the guide at:
+
+https://keyring.debian.org/creating-key.html
+
+helpful.
+
+Your OpenPGP key should have an encryption-capable subkey as well; otherwise
+DSA will not be able to email you your account password.
+
+You should also generate a revocation certificate, and store it in a
+safe place in the case that you forget your pass phrase, or lose your
+key(s). GnuPG 2.1 or later automatically generates revocation
+certificates and stores them in ~/.gnupg/openpgp-revocs.d/ -- please
+back them up safely!
+
+Exchange key signatures with other people
+-----------------------------------------
+
+If at all possible, meet other Debian developers in person, verify
+their fingerprints, and certify each other's keys. Geographical and
+economical challenges often make this impossible, but if you can do
+it, please do. Signing keys means verifying that the key and the
+username belong together. The signatures allow other people to know
+that the key belongs to the person it says it belongs to. (This is the
+"web of trust" stuff the GPG manual explains about.)
+
+Also exchange key signatures with many other OpenPGP users. It all
+helps to expand and strengthen the OpenPGP web of trust.
+
+Do *NOT* certify other people's key unless you have met that person
+face to face in real life and have verified that the person is who
+they say they are. One common way people can verify identity is to
+ask for a strong, unforgeable form of government-issued ID that they
+know how to check (e.g. passport, driver's license).
+
+
+Getting your key into the debian keyring
+----------------------------------------
+
+If you are an old debian developer who hasn't uploaded your packages
+for a long time, and your key is not in the keyring, send a mail to
+keyring@rt.debian.org (making sure to include the words "Debian RT"
+somewhere in the subject) explaining the situation, and including your
+public key.
+
+All new maintainers should apply at https://nm.debian.org/, and your
+key(s) will be added to the keyring as part of the admission process.
+
+
+Updating your key(s)
+--------------------
+
+There is a keyserver running on keyring.debian.org; for any updates of
+existing keys please send them there, e.g:
+
+ $ gpg --keyserver=keyring.debian.org --send-keys 0x00000123ABCD0000
+
+To add a new key or remove an existing one, please send mail to
+keyring@rt.debian.org making sure to include the words "Debian RT"
+somewhere in the subject line.
+
+
+What the keyrings are
+---------------------
+
+ o debian-keyring.gpg
+
+ This is the canonical Debian Developers (DD) keyring. Anyone who
+ has a key in here is an uploading Debian Developer.
+
+ o debian-maintainers.gpg
+
+ The keyring for Debian Maintainers (DM). Anyone who has a key in
+ here is a Debian Maintainer.
+
+ o debian-nonupload.gpg
+
+ This is the keyring for Debian Developers (nonuploading). Anyone
+ who has a key in here is a nonuploading Debian Developer.
+
+ o debian-role-keys.gpg
+
+ This is the keyring used to contain role account keys, such as
+ "ftp-master" (it contains the key used to sign the Release files
+ in the archive).
+
+===
+
+These keyrings are not part of the binary package but are available in
+the source package or on keyring.debian.org. It is very strongly
+recommended that you do not use or rely on keys in these keyrings for
+verification purposes.
+
+ o emeritus-keyring.gpg
+
+ This is the keyring of emeritus developers; i.e. those who have
+ resigned, retired, passed away or are otherwise inactive.
+
+
+Acknowledgements
+----------------
+
+This README was originally written by Lars Wirzenius, liw@iki.fi and
+was over time maintained by James Troup <james@nocrew.org>. Currently
+it is maintained by the keyring-maint team (Jonathan McDowell
+<noodles@earth.li>, Gunnar Wolf <gwolf@debian.org>, and Daniel Kahn
+Gillmor <dkg@fifthhorseman.net>). Contributions by J.H.M. Dassen
+(Ray) <jdassen@wi.LeidenUniv.nl>, Igor Grobman <igor@debian.org>,
+Darren Stalder <torin@daft.com>, Norbert Veber
+<nveber@primusolutions.net> and Martin Michlmayr <tbm@cyrius.com>.
+
+Many thanks to Brendan O'Dea <bod@debian.org> who set up and wrote
+support scripts for the keyserver on keyring.debian.org.
+
+================================================================================
+
+[1] In Woody-era versions of gnupg (<< 1.2) the options file was
+ called ~/.gnupg/options.