Re: Question about gpg key.
What should be my next steps? Should I notify somewhere in Debian about new key or just sign my packages by this key in the next uploads? Naturally, your key will have to be uploaded to a public key server. See this wiki page for more [1]. Get your key signed by other Debian developers if you want to become a Debian Developer at some point. See this list to find someone in your area to sign it [2]. Follow the instructions in [3] to get your new key into the Debian keyring. I have read all related documentation before send the message. Procedure [4] affects only DD. But I am not even DM now. And it seems like the key of a sponsored maintainer does not matter and it can be changed in any moment. Because only one important thing in upload to the main repo is the sign of sponsor (DD) which is checked by bot. Correct me if I am wrong. That's why I asked the question. In other words. Should I sign my new key by old one or make any other action? Or can I just use new key as it is? Best regards, Boris -- To UNSUBSCRIBE, email to debian-newmaint-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/279871326268...@web97.yandex.ru
Re: Question about gpg key.
Boris Pek dijo [Wed, Jan 11, 2012 at 10:02:28AM +0200]: I have read all related documentation before send the message. Procedure [4] affects only DD. But I am not even DM now. And it seems like the key of a sponsored maintainer does not matter and it can be changed in any moment. Because only one important thing in upload to the main repo is the sign of sponsor (DD) which is checked by bot. Correct me if I am wrong. That's why I asked the question. In other words. Should I sign my new key by old one or make any other action? Or can I just use new key as it is? keyring-maint hat on Sorry for the delay, as I should have answered to your question earlier on. Yes, if you want to get closer to Debian (that is, be able to do any uploads by yourself), you _do_ need to move to a 4096R key. But, as to this specific question: If you are not interested in becoming DM or DD, nobody will object - If I were to be your sponsor, I could do everything without you even having a GPG key. A sponsor must not blindly build and upload, but check everything as if it were his own package. (Of course, once you have a working relation with a DD/DM that sponsors you, _and_ you use a GPG key regardless of its strength, said DD/DM will start trusting your work) But anyway - Create a new key. Try to get it signed. Even if the old one has many signatures, start getting people (specially those better connected) to sign the new one. *Do* sign the new key with the old one, to ensure people who already know you it is still you doing this. signature.asc Description: Digital signature
Re: Question about gpg key.
On 01/11/2012 02:02 AM, Boris Pek wrote: What should be my next steps? Should I notify somewhere in Debian about new key or just sign my packages by this key in the next uploads? Naturally, your key will have to be uploaded to a public key server. See this wiki page for more [1]. Get your key signed by other Debian developers if you want to become a Debian Developer at some point. See this list to find someone in your area to sign it [2]. Follow the instructions in [3] to get your new key into the Debian keyring. I have read all related documentation before send the message. Procedure [4] affects only DD. But I am not even DM now. And it seems like the key of a sponsored maintainer does not matter and it can be changed in any moment. Because only one important thing in upload to the main repo is the sign of sponsor (DD) which is checked by bot. Correct me if I am wrong. That's why I asked the question. In other words. Should I sign my new key by old one or make any other action? Or can I just use new key as it is? Since it hasn't been mentioned in this thread, Ana's page on creating a new 4096R key and configuring gnupg properly was extremely helpful to me: http://ekaia.org/blog/2009/05/10/creating-new-gpgkey/ -- Kind regards, Michael Shuler -- To UNSUBSCRIBE, email to debian-newmaint-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4f0dbc43.1040...@pbandjelly.org
Re: Question about gpg key.
Hi, Thank you very much for replies. If I were to be your sponsor, I could do everything without you even having a GPG key. Hmm, it looks like a very unusual way of maintaining packages. Sponsored maintainers usually use mentors.debian.net and they must sign their packages before upload. But anyway - Create a new key. Try to get it signed. Even if the old one has many signatures, start getting people (specially those better connected) to sign the new one. *Do* sign the new key with the old one, to ensure people who already know you it is still you doing this. Sorry but you miss the beginning of this thread [1]. I have the new key already. Following the replies I understand that there is no necessary in additional actions when sponsored maintainer decides to change his (not signed) key. Since it hasn't been mentioned in this thread, Ana's page on creating a new 4096R key and configuring gnupg properly was extremely helpful to me: http://ekaia.org/blog/2009/05/10/creating-new-gpgkey/ Yes, this link is present in wiki page. I didn't use these instructions but they look very useful. Should I sign my new key by old one or make any other action? Assuming your two keys have the same User IDs on them: Signing the new key with the old one is a way of making a strong cryptographic assertion that the holder of the old key believes that the new key is legitimate. If that's the case, i don't see why you wouldn't want to make such an assertion. Or can I just use new key as it is? You can of course use it as it is; but making the assertion mentioned above (and writing and publishing a transition statement signed by both keys, e.g. http://fifthhorseman.net/key-transition-2007-06-15.txt) will help to convince some of the folks who signed your old key to sign the new one. Ok, I understand this schema. But in my case nobody signed by the old key and nobody have signed it. So there is no reason to sign my new key by the old one. Best regards, Boris [1] http://lists.debian.org/debian-newmaint/2012/01/threads.html#00071 -- To UNSUBSCRIBE, email to debian-newmaint-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/699621326311...@web2.yandex.ru
Re: Question about gpg key.
* Boris Pek tehnic...@yandex.ru, 2012-01-11, 21:56: If I were to be your sponsor, I could do everything without you even having a GPG key. Hmm, it looks like a very unusual way of maintaining packages. Sponsored maintainers usually use mentors.debian.net and they must sign their packages before upload. That's an implementation detail of mentors.d.n that sponsors don't really need to care about. :) Besides, uploading to mentors.d.n is not the only (and likely not even the predominant one) way to share your work with a sponsor. For many teams[0], the preferred way of code exchange is a VCS. [0] Where team can mean a big packaging team as well as a mentoree+sponsor tandem. -- Jakub Wilk -- To UNSUBSCRIBE, email to debian-newmaint-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120111220104.ga3...@jwilk.net