Debian Bug report logs - #25554
debian-keyring: suggested README update

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: "J.H.M. Dassen" <jdassen@wi.leidenuniv.nl>

To: submit@bugs.debian.org

Subject: debian-keyring: suggested README update

Date: Sun, 9 Aug 1998 11:57:07 +0200

Package: debian-keyring
Version: 1998.07.28
Severity: wishlist

The current README doesn't mention GPG at all. Here is an updated version:

--- cut me ---
README for debian-keyring.{gpg,pgp}
Originally written by Lars Wirzenius, liw@iki.fi 
Now maintained by Igor Grobman <igor@debian.org> and 
James Troup <jjtroup@comp.brad.ac.uk>. 
Contributions by J.H.M. Dassen (Ray) <jdassen@wi.LeidenUniv.nl>.


Introduction
------------

The Debian project wants developers to digitally sign the announcements of
their packages, to protect against forgeries.  The Debian project maintains
GPG (GNU Privacy Guard) and PGP keyrings with keys of Debian developers.
This is the README for these keyring.


Background: PGP and GPG
-----------------------

PGP (Pretty Good Privacy) is currently the most widely used public key
cryptography program. Unfortunately, it uses patented algorithms (the RSA
algorithm (asymmetric) and the IDEA algorithm (symmetric)), making a
DFSG-free implementation impossible. GPG (GNU Privacy Guard;
http://www.d.shuttle.de/isil/crypt/gnupg.html) is a DFSG-free cryptography
program which is based on the same concepts as PGP, but which uses
unencumbered cryptographic algorithms.


Getting debian-keyring.{gpg,pgp}
--------------------------------

The current version of debian-keyring.pgp and debian-keyring.gpg are always
available on your nearest debian mirror in debian/doc/debian-keyring.tar.gz 

That file contains the keyring, signed copy of keyring md5sums and this
README.  The keyring md5sums will be signed by either Igor Grobman or James
Troup.
	
The keyring is also part of the Debian dpkg-dev package, but the copy in
that package may not be up to date, since the keyring changes more
frequently than the package is updated. However, every Debian package
maintainer needs to have dpkg-dev installed, and can get a version of the
keyring from
	
	/usr/doc/dpkg/developer-keys.gpg
	/usr/doc/dpkg/developer-keys.pgp
	
Use "gpg --import" or "pgp -ka" to add the keys in a keyring to your
personal keyring.


Generate a key pair
-------------------

GPG and PGP are used for security, and security can be a bit tricky. Please
read the PGP manual (in /usr/doc/pgp on Debian) before generating a key
pair. The actual generation is trivial. Please use at least 1024 bits.

Currently, the Debian project uses PGP signatures for uploading packages,
but now that GPG is maturing, the project is expected to move to GPG for
this, as GPG is free software. For now, you need a PGP key; we advice you to
make a GPG key too.
	
(It's a key pair, because GPG and PGP use public key cryptography.  One of
the keys is private, one is public. This is all explained in the PGP
manuals.)
	
If your copy of PGP doesn't automatically sign your own key, please do it
yourself (pgp -ks). This prevents others from tampering with the username in
the key.
	
If you already have a GPG or PGP key pair, it's OK to use it, but it's also
OK to generate a new key pair specifically for Debian.

Copy your public key to a text file

When you have a key pair, copy the public key from your personal key ring
into files {foo,bar}.asc with the following commands:
	
	gpg --armor --export 'your name' > foo.asc
	pgp -kxa 'your name' bar.asc
	
where 'your name' is the username you gave to GPG or PGP when generating
your key.
	
foo.asc and bar.asc are text files, which you can view with any editor. Do
NOT modify them, or they will break.
	

Upload your PGP key to PGP key servers
--------------------------------------

Upload the bar.asc file to the PGP key servers, to make it easy for anyone
to get your public key. The URL is:
	
	http://www.pgp.net/pgpnet/
	
There are many PGP key servers, but they're linked to each other, and it
should be enough to upload your key to just one server.

So far, there are no GPG key servers.


Exchange key signatures with other people
-----------------------------------------

If possible, meet other Debian developers in person and sign each other's
keys. Geographical and economical challenges often make this impossible, but
if you can do it, please do.	Signing keys means verifying that the key
and the username belong together. The signatures can allow other people to
trust the key. (This is the "web of trust" stuff the PGP manual explains
about.)
	
Also exchange key signatures with many other PGP users. It all helps to
expand and strengthen the PGP web of trust.
	
When your key is signed, the signatures are added to the key. You need to
upload your key again to the key servers to make those signatures available
for other people.


Getting your key into debian-keyring.{pgp,gpg}
----------------------------------------------

If you are an old debian developer who hasn't uploaded your packages for a
long time, and your key is not in the keyring, send a mail to
pgp-update@debian.org explaining the situation, and including your public
pgp key.  

All new maintainers should apply to new-maintainer@debian.org, and your
key(s) will be added to the keyring as part of the admission process.


Updating your key(s)
--------------------

If your key has been updated, you should send your update to
gpg-update@debian.org or pgp-update@debian.org.


Signing your GPG key with your PGP one
--------------------------------------
	
If you already have a PGP key, but only now made a GPG key, you might want
to  sign your GPG key with your PGP one. This is possible as follows:
o Get 
	ftp://ftp.guug.de/pub/gcrypt/old/rsa.c
	ftp://ftp.guug.de/pub/gcrypt/old/idea.c
  which implement the patented algorithms PGP uses and compile them (read
  the files for instructions). 
o Import your PGP public and private keys into the respective GPG keyrings:
	pgp -kxf 'Your PGP ID' | gpg --import
	gpg --secret-keyring ~/.pgp/secring.pgp
o Sign your GPG key with your PGP key:
	gpg --load-extension ./rsa.o --load-extension ./idea.o \
		--default-key 'Your PGP ID' --sign-key 'Your GPG ID'


Signing your PGP key with your GPG one
--------------------------------------

[TODO: This might be possible with PGP5. Please let us now if you have
informatino about this.]
--- ouch! ---
-- 
Ray Dassen <jdassen@wi.LeidenUniv.nl>

Message #10 received at 25554@bugs.debian.org (full text, mbox, reply):

From: Igor Grobman <igor@igoria.net>

To: "J.H.M. Dassen" <jdassen@wi.leidenuniv.nl>, 25554@bugs.debian.org

Subject: Re: Bug#25554: debian-keyring: suggested README update

Date: Wed, 12 Aug 1998 14:38:14 -0400

Some time around  Sun, 09 Aug 1998 11:57:07 +0200, 
         "J.H.M. Dassen" wrote:
 > Package: debian-keyring
 > Version: 1998.07.28
 > Severity: wishlist
 > 
 > The current README doesn't mention GPG at all. Here is an updated version:

Thanks a lot! You saved us some work, that is very good (tm) ;-).


<snip>
  > Signing your GPG key with your PGP one
 > --------------------------------------
 > 	
 > If you already have a PGP key, but only now made a GPG key, you might want
 > to  sign your GPG key with your PGP one. This is possible as follows:


This is questionable.  If the reason we want to use GPG is not to depend on 
patented algorithms, signing it with your PGP key defeats the purpose.  I 
think a better way is to recommend signing the message that contains your new 
gpg key with a pgp key.  This would be done whenever you want to authenticate 
yourself to people who already trust your PGP key.

<snip again>
 > 
 > Signing your PGP key with your GPG one
 > --------------------------------------
 > 
 > [TODO: This might be possible with PGP5. Please let us now if you have
 > informatino about this.]
 > --- ouch! ---
 

Again, I don't think we (Debian) are very interested in this.

-- 
Proudly running Debian Linux! Linux vs. Windows is a no-Win situation....
Igor Grobman           igor@debian.org                 igor@igoria.net 

Message #15 received at 25554@bugs.debian.org (full text, mbox, reply):

From: jdassen@wi.leidenuniv.nl

To: igor@igoria.net

Cc: 25554@bugs.debian.org

Subject: Re: Bug#25554: debian-keyring: suggested README update

Date: Thu, 13 Aug 1998 09:09:45 +0200

On Wed, Aug 12, 1998 at 02:38:14PM -0400, Igor Grobman wrote:
>  > If you already have a PGP key, but only now made a GPG key, you might
>  > want to  sign your GPG key with your PGP one. This is possible as
>  > follows:
> 
> This is questionable.  If the reason we want to use GPG is not to depend
> on patented algorithms,

I know.

> signing it with your PGP key defeats the purpose.

I disagree. If someone wishes to verify the signatures on your GPG key,
but doesn't want to use a patented algorithm, she can do so; the
PGP-generated signature will simply be ignored. A GPG key signed with a PGP
key can still be used without using a patented algorithm.

> I think a better way is to recommend signing the message that contains
> your new gpg key with a pgp key.  This would be done whenever you want to
> authenticate yourself to people who already trust your PGP key.

That's possible of course, but it can be quite cumbersome. Signing your GPG
key with your PGP key has the same advantages (someone who trusts your PGP
key is very likely to transfer trust to your GPG key), but is much easier to
handle (especially once there are GPG keyservers).

Ray
-- 
ART  A friend of mine in Tulsa, Okla., when I was about eleven years old. 
I'd be interested to hear from him. There are so many pseudos around taking 
his name in vain. 
- The Hipcrime Vocab by Chad C. Mulligan 

Message #24 received at 25554-done@bugs.debian.org (full text, mbox, reply):

From: James Troup <james@nocrew.org>

To: 25554-done@bugs.debian.org

Subject: Re: debian-keyring: suggested README update

Date: 25 Aug 2001 22:58:32 +0100

Hi,

Your README update was incorporated a long long time ago; not sure why
the bug was never closed.

-- 
James

Send a report that this bug log contains spam.