Pulling changes from the HKP server =================================== We run a HKP (HTTP Keyserver Protocol) keyserver to allow for public querying on Debian keys and to allow DDs and DMs to update their keys, i.e., sending more signatures. Updating the keyrings from this HKP server is "pulling" HKP changes. There's a script call pull-updates that takes a keyring and a keyring dir, explodes the keyring and looks for keys that have changed, then calls update-key for each of them. This is a bit of a labour intensive task, but it does mean we don't automatically allow things like adding a new UID that's complete nonsense. I have some local patches to make it a bit easier in terms of automatically generating an update.log which is the same format as in the changelog of what was altered; I'll commit them at some point soon. So, to import the HKP updates, we pull the keyrings first from: kaufmann.debian.org:/srv/keyring.debian.org/keyrings-new/debian-{keyring,nonupload,maintainers}.gpg and second, from: kaufmann.debian.org:/srv/keyring.debian.org/pending-updates/debian-{keyring,nonupload,maintainers}.gpg $ scp kaufmann.debian.org:/srv/keyring.debian.org/keyrings-new/debian-{keyring,nonupload,maintainers}.gpg . debian-keyring.gpg 100% 30MB 2.5MB/s 00:12 debian-maintainers.gpg 100% 1058KB 529.1KB/s 00:02 debian-maintainers.gpg 100% 48KB 59.6KB/s 00:00 $ for i in keyring nonupload maintainers; do ./scripts/pull-updates debian-${i}.gpg debian-${i}-gpg/ (...a long list of keys later...) Updated keys are: 0x8351C3C268AC5746 0xE5273D986BE3C423 0xED1A3933B2CFCDD8 gpg: keyring `/tmp/jetring.qGSB7NPt/secring.gpg' created gpg: keyring `/tmp/jetring.qGSB7NPt/pubring.gpg' created gpg: /tmp/jetring.qGSB7NPt/trustdb.gpg: trustdb created Running gpg-diff: 0x8351C3C268AC5746 Robert Alan Larson Are you sure you want to update this key? (y/n) y Updated key. gpg: keyring `/tmp/jetring.mHhg5onR/secring.gpg' created gpg: keyring `/tmp/jetring.mHhg5onR/pubring.gpg' created gpg: /tmp/jetring.mHhg5onR/trustdb.gpg: trustdb created Running gpg-diff: 0xE5273D986BE3C423 Paul Wise Are you sure you want to update this key? (y/n) y Updated key. gpg: keyring `/tmp/jetring.ZJnN1JpE/secring.gpg' created gpg: keyring `/tmp/jetring.ZJnN1JpE/pubring.gpg' created gpg: /tmp/jetring.ZJnN1JpE/trustdb.gpg: trustdb created Running gpg-diff: 0xED1A3933B2CFCDD8 Philipp Kern Are you sure you want to update this key? (y/n) y Updated key. In this process, we must check the changes we pull in "make sense" — keys should not add unrelated UIDs, weaker subkeys, or excessive amounts of signatures. A log of the changes is stored in updates.log: $ cat update.log 0x8351C3C268AC5746 Robert Alan Larson 0xE5273D986BE3C423 Paul Wise 0xED1A3933B2CFCDD8 Philipp Kern So, add the following to the changelog: * Updates from keyring.debian.org HKP interface: 0x8351C3C268AC5746 Robert Alan Larson 0xE5273D986BE3C423 Paul Wise 0xED1A3933B2CFCDD8 Philipp Kern Repeat the process for the other downloaded keyrings. After processing the second set of keys (at kaufmann's /srv/keyring.debian.org/pending-updates), the three keyrings should be removed (as they are checked to be empty when updating the keyrings at kaufmann -- see infrastructure/kaufmann.txt)