Hi, So, even small teams more closely related to bureaucracy and bookkeeping such as ours also deserve to send out some "bits from..." mails from time to time. And being past midnight, I hope I can keep this concise and short. For people that were present at my lightning talk at DebConf, expect no new material in this mail... We just needed to send it out. 1. PGP (v3) keys are gone! ----------------------- The first point is that, with a lot of patience and chasing, and after over a year of having stated the intention, we can finally say that older, vulnerable v3 keys are gone from the Debian Developer keyring, yay! Thanks in no small measure to Jonathan's endless bugging and chasing, all keys in Debian today are v4 1024D or higher, and that is a Very Good Thing. And yes, it leads us to the next point... 2. We want stronger keys --------------------- 1024D (SHA1) keys are OK-ish for now. No attacks are known on them, and they are not compromising the archive in any way (if they were, of course, we would immediately disable them and _then_ look for solutions, while surely becoming overnight the most hated team in Debian). Still, to be on the safe side (and to avoid the long and painful declining curve we had with v3 keys), we are now clearly pushing Debian towards adopting stronger RSA keys - We have accepted some 2048R keys, but if you don't have a real reason to keep your key at that size (i.e. you very often build on underpowered machines where a 4096R key takes forever, or something like that), we really prefer to go with 4096R keys. To create your 4096R key, you are advised to follow Ana Guerrero's excellent tutorial [1]. The policies for a key upgrade go as follows (and are explained at greater length at [2]): - Your new key should be signed by your old key - Your new key should be signed by two or more other Debian Developers - Mail the key replacement request to keyring@rt.debian.org, mentioning 'Debian RT' somewhere in the mail subject - The request should be _inline_ signed by your old key. If you send a MIME-encoded signed message, RT will mangle it and it won't validate. Please, inline-sign the message. - Although we clearly want to transition to a stronger keyring, that does not mean we want to loosen the Web of Trust. That means that if you have a gazillion signatures in your 1024D key, you should not rush to update it with a barely-signed 4096R one. Get it signed by as many people as possible. If you are already socially active in Debian, that should pose no problem. Otherwise... Well, if you are isolated and far from anybody else, we might do it. But remember, there is no _pressing_ need to do so. 3. We demand stronger keys! ------------------------ But then again, we are not allowing any new 1024D keys anymore. Anybody who is currently a DD or DM, or that has started his application towards becoming one, will be allowed with whatever key they currently have - But effective October 1st, no applications for DM or DD should be processed with anything less than a 2048R SHA2-capable key. Ok, so, I'm looking forward to process your key update requests! On behalf of keyring-maint, -Gunnar -- [1] http://keyring.debian.org/creating-key.html [2] http://keyring.debian.org/replacing_keys.html
Attachment:
signature.asc
Description: Digital signature