Re: Sign source packages for mentors.debian.net

To: Arno Töll <arno@debian.org>
Cc: debian-mentors@lists.debian.org
Subject: Re: Sign source packages for mentors.debian.net
From: Felix Natter <fnatter@gmx.net>
Date: Sat, 23 Mar 2013 17:36:39 +0100
Message-id: <[🔎] 87txo2ysx4.fsf@bitburger.home.felix>
In-reply-to: <[🔎] 514B8983.1020306@debian.org> ("Arno Töll"'s message of "Thu, 21 Mar 2013 23:28:19 +0100")
References: <[🔎] 87y5dg5xe2.fsf@bitburger.home.felix> <[🔎] 514B8983.1020306@debian.org>

Arno Töll <arno@debian.org> writes:

> Hi,

hello Arno,

Thanks for the quick response.

> On 21.03.2013 21:08, Felix Natter wrote:
>> Do I have to follow (some of) these steps?
>>   http://wiki.debian.org/Keysigning
>
> yes, the first one is enough though. This is not covered by docs,
> because that's a generic OpenGPG problem not specifically related to
> Debian (Mentors).

from http://mentors.debian.net/intro-maintainers:

"You need to use dput to upload packages. We accept your uploads through
HTTP or FTP. All packages must be signed with the GnuPG key you
configured in your control panel."

how about adding a link
[[http://keyring.debian.org/creating-key.html|GnuP key]]
for newcomers not knowing about the Debian keyring / PGP?

> You need to create a key satisfying the Debian keyring
> maintainers [1]. See any tutorial for OpenGPG for detailed
> instructions.

I followed these instructions [1]:
  http://keyring.debian.org/creating-key.html
Now I have a "4096R/23A05259" key for mentors.debian.net which seems
correct :-)

Concerning the sponsoring process:

- shall I change the debian/changelog line from 
freeplane (1.2.22-1) UNRELEASED; urgency=low
to
freeplane (1.2.22-1) unstable; urgency=low
  before I upload to mentors.debian.net?

- Shall I create the git 'debian/1.2.22-1' tag and push the changes only
  after the package has been approved by the sponsor?

- is signing git tags (git-buildpackage --git-sign-tags --git-tag)
  optional?

Further steps:

- sign the changes file:
  debsign -k23A05259 freeplane_1.2.22-1_i386.changes
  OR 
  dpkg-sig? (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=247824)
  OR building with
  git-buildpackage [--git-tag] --git-keyid=23A05259

- configure dput as described here: http://mentors.debian.net/intro-maintainers

- dput mentors freeplane_1.2.22-1_i386.changes

--> I think this is correct?

[1] https://we.riseup.net/riseuplabs+paow/openpgp-best-practices#set-an-expiration-date-if-you-do-not-have-one
says that you need an expiration date, but http://keyring.debian.org/creating-key.html
recommends the opposite ("0 = key does not expire"). Shouldn't the page
be updated in this regard?

Thanks and Best Regards,
-- 
Felix Natter

Reply to:

References:
- Sign source packages for mentors.debian.net
  - From: Felix Natter <fnatter@gmx.net>
- Re: Sign source packages for mentors.debian.net
  - From: Arno Töll <arno@debian.org>

Prev by Date: Bug#703766: RFS: fonts-sil-averia-gwf/1.00-1 [ITP]
Next by Date: Bug#703630: RFS: libaria/2.7.5.2-1 [ITP] -- C++ library for MobileRobots/ActivMedia robots
Previous by thread: Re: Sign source packages for mentors.debian.net
Next by thread: Bug#693504: Feedback on the (unreleased) package
Index(es):
- Date
- Thread