00mjk / debian-keyring Goto Github PK
View Code? Open in Web Editor NEWThis project forked from acidburn0zzz/debian-keyring
debian-keyring
Home Page: https://acidburn0zzz.github.io/debian-keyring/
License: GNU General Public License v2.0
This project forked from acidburn0zzz/debian-keyring
debian-keyring
Home Page: https://acidburn0zzz.github.io/debian-keyring/
License: GNU General Public License v2.0
README for the debian-keyring package ===================================== Introduction ------------ The Debian project wants developers to digitally sign the announcements of their packages, to protect against forgeries. The Debian project maintains OpenPGP keyrings with keys of Debian developers. This is the README for these keyrings. Background: OpenPGP and GnuPG ----------------------------- OpenPGP is a cryptographic standard that defines certificate formats, signature formats, and encryption formats. For debian, we rely heavily on the signature formats, and we keep our developers' credentials in OpenPGP certificate formats, aggregated into "keyrings", which are just concatenated files of OpenPGP certificates. These keyrings have a suffix of .gpg, reflecting our use of GnuPG (the GNU Privacy Guard), the most widely-used free software implementation of OpenPGP. Some older OpenPGP implementations used cryptography that is now considered weak, so we strongly encourage you to migrate to a strong (2048 bit or greater, current standard is 4096, RSA-based) OpenPGP key. Getting debian-keyring.gpg -------------------------- The current version of debian-keyring.gpg is always available via rsync from keyring.debian.org (module keyrings). There is also a (possibly slightly out-of-date) version available on your nearest debian mirror in debian/doc/debian-keyring.tar.gz and as the debian-keyring package. The rsync area on keyring.debian.org is the canonical location for keyrings and it is what the Debian installer program (dinstall) uses. If your key is available from there, it will be seen by dinstall. The tarball and Debian package are provided for user convenience and are not necessarily in sync with keyring.debian.org. That file contains the keyrings, signed copy of keyring md5sums and this README. The keyring md5sums will be signed by the keyring-maint team (currently, Jonathan McDowell, Gunnar Wolf, and Daniel Kahn Gillmor). Using the debian-keyring with gpg --------------------------------- Add these lines to the bottom of your ~/.gnupg/gpg.conf[1] file: keyring /usr/share/keyrings/debian-keyring.gpg GPG cannot modify keys in these root-owned files. In order to edit or sign keys in the Debian keyring you will first need to import them to your personal keyring. If ~/.gnupg/gpg.conf lists the debian-keyring files, keys already in the Debian keyring will not be imported to your personal keyring. You can use "gpg --no-options --import" to force GPG to ignore gpg.conf and import keys to your personal keyring only. It is also possible to use public keyservers on the net directly. This requires that you have a working internet connection. Add a line to your ~/.gnupg/gpg.conf[1] file such as: keyserver pool.sks-keyservers.net or keyserver keyring.debian.org Generate a key pair ------------------- GPG is used for security, and security can be a bit tricky. Please install the gnupg-doc package and read the GPG manual (located in /usr/share/doc/gnupg-doc/GNU_Privacy_Handbook) before generating a key pair. The actual generation is trivial. You must use at least 2048 bits, but 4096 bit RSA keys are recommended. The Debian project will only accept new keys if they are OpenPGP keys. For widest use within the project, your OpenPGP key should have an encryption-capable subkey as well. You should also generate a revocation certificate, and store it in a safe place in the case that you forget your pass phrase, or lose your key(s). GnuPG 2.1 or later automatically generates revocation certificates and stores them in ~/.gnupg/openpgp-revocs.d/ -- please back them up safely! Exchange key signatures with other people ----------------------------------------- If at all possible, meet other Debian developers in person, verify their fingerprints, and certify each other's keys. Geographical and economical challenges often make this impossible, but if you can do it, please do. Signing keys means verifying that the key and the username belong together. The signatures allow other people to know that the key belongs to the person it says it belongs to. (This is the "web of trust" stuff the GPG manual explains about.) Also exchange key signatures with many other OpenPGP users. It all helps to expand and strengthen the OpenPGP web of trust. Do *NOT* certify other people's key unless you have met that person face to face in real life and have verified that the person is who they say they are. One common way people can verify identity is to ask for a strong, unforgeable form of government-issued ID that they know how to check (e.g. passport, driver's license). Getting your key into the debian keyring ---------------------------------------- If you are an old debian developer who hasn't uploaded your packages for a long time, and your key is not in the keyring, send a mail to [email protected] (making sure to include the words "Debian RT" somewhere in the subject) explaining the situation, and including your public key. All new maintainers should apply at https://nm.debian.org/, and your key(s) will be added to the keyring as part of the admission process. Updating your key(s) -------------------- There is a keyserver running on keyring.debian.org; for any updates of existing keys please send them there, e.g: $ gpg --keyserver=keyring.debian.org --send-keys 0x00000123ABCD0000 To add a new key or remove an existing one, please send mail to [email protected] making sure to include the words "Debian RT" somewhere in the subject line. What the keyrings are --------------------- o debian-keyring.gpg This is the canonical Debian Developers (DD) keyring. Anyone who has a key in here is an uploading Debian Developer. o debian-maintainers.gpg The keyring for Debian Maintainers (DM). Anyone who has a key in here is a Debian Maintainer. o debian-nonupload.gpg This is the keyring for Debian Developers (nonuploading). Anyone who has a key in here is a nonuploading Debian Developer. o debian-role-keys.gpg This is the keyring used to contain role account keys, such as "ftp-master" (it contains the key used to sign the Release files in the archive). === These keyrings are not part of the binary package but are available in the source package or on keyring.debian.org. It is very strongly recommended that you do not use or rely on keys in these keyrings for verification purposes. o emeritus-keyring.gpg This is the keyring of emeritus developers; i.e. those who have resigned, retired, passed away or are otherwise inactive. Acknowledgements ---------------- This README was originally written by Lars Wirzenius, [email protected] and was over time maintained by James Troup <[email protected]>. Currently it is maintained by the keyring-maint team (Jonathan McDowell <[email protected]>, Gunnar Wolf <[email protected]>, and Daniel Kahn Gillmor <[email protected]>). Contributions by J.H.M. Dassen (Ray) <[email protected]>, Igor Grobman <[email protected]>, Darren Stalder <[email protected]>, Norbert Veber <[email protected]> and Martin Michlmayr <[email protected]>. Many thanks to Brendan O'Dea <[email protected]> who set up and wrote support scripts for the keyserver on keyring.debian.org. ================================================================================ [1] In Woody-era versions of gnupg (<< 1.2) the options file was called ~/.gnupg/options.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.