README for debian-keyring.pgp
Originally written by Lars Wirzenius, liw@iki.fi 
Now maintained by Igor Grobman <igor@debian.org> and 
James Troup <jjtroup@comp.brad.ac.uk>


Introduction

	The Debian project wants developers to digitally sign
	the announcements of their packages with PGP, to protect
	against forgeries.  I maintain a PGP keyring with keys of
	Debian developers.  This is the README for that keyring.

Getting debian-keyring.pgp

	The current version of debian-keyring.pgp is always
	available on your nearest debian mirror in 
	debian/doc/debian-keyring.tar.gz 

	That file contains the keyring, signed copy of keyring 
	md5sums and this README.  The keyring md5sums will be signed
	by either Igor Grobman or James Troup.
	
	The keyring is also part of the Debian dpkg-dev package,
	but the copy in that package may not be up to date,
	since the keyring changes more frequently than the
	package is updated. However, every Debian package
	maintainer needs to have dpkg-dev installed, and can
	get a version of the keyring from
	
		/usr/doc/dpkg/developer-keys.pgp
	
	Use "pgp -ka" to add the keys in a keyring to your
	personal keyring.


Generate a key pair

	PGP is used for security, and security can be a bit
	tricky.  Please read the PGP manual (in /usr/doc/pgp
	on Debian) before generating a key pair. The actual
	generation is trivial. Please use at least 1024 bits.
	
	(It's a key pair, because PGP uses public key
	cryptography.  One of the keys is private, one is
	public. This is all explained in the manuals.)
	
	If your copy of PGP doesn't automatically sign your
	own key, please do it yourself (pgp -ks). This prevents
	others from tampering with the username in the key.
	
	If you already have a PGP key pair, it's OK to use it,
	but it's also OK to generate a new key pair specifically
	for Debian.

Copy your public key to a text file

	When you have a key pair, copy the public key from
	your personal key ring into a file called foo.asc
	with the following command:
	
		pgp -kxa 'your name' foo.asc
	
	where 'your name' is the username you gave to PGP when
	generating your key.
	
	foo.asc is a text file, you can view it with any editor.
	Do NOT modify it, or it will break.
	
Upload your key to PGP key servers

	Upload the foo.asc file to the PGP key servers, to make
	it easy for anyone to get your public key. The URL is:
	
		http://www.pgp.net/pgpnet/
	
	There are many PGP key servers, but they're linked to
	each other, and it should be enough to upload your key to
	just one server.

Exchange key signatures with other people

	If possible, meet other Debian developers in person
	and sign each other's keys. Geographical and economical
	challenges often make this impossible, but if you can do
	it, please do.	Signing keys means verifying that the
	key and the username belong together. The signatures
	can allow other people to trust the key. (This is the
	"web of trust" stuff the PGP manual explains about.)
	
	Also exchange key signatures with many other PGP users.
	It all helps to expand and strengthen the PGP web
	of trust.
	
	When your key is signed, the signatures are added to the
	key. You need to upload your key again to the key servers
	to make those signatures available for other people.

Getting your key into debian-keyring.pgp

	If you are an old debian developer who hasn't uploaded your 
	packages for a long time, and your key is not in the keyring, 
	send a mail to pgp-update@debian.org explaining the situation, 
	and including your public pgp key.  

	All new maintainers should apply to new-maintainer@debian.org, 
	and your key will be added to the keyring as part of the 
	admission process.

Updating your key

	If your key has been updated, you should send your update to 
	pgp-update@debian.org.
