Re: Bits from keyring-maint [action required]

To: debian-devel@lists.debian.org
Subject: Re: Bits from keyring-maint [action required]
From: Guido Trotter <ultrotter@gmail.com>
Date: Sat, 1 Apr 2017 08:01:50 +0200
Message-id: <[🔎] CAM4p=JP3ZAwvLVO6a21u_HwSkByE4LCZkav9=OveA3HahyFCeQ@mail.gmail.com>
In-reply-to: <20170401044528.GO16224@earth.li>
References: <20170401044528.GO16224@earth.li>

Great messaging. Until about 1/2 of the email I was wondering where
this was going to go and finding it plausible.

Thanks for the morning laugh!

Guido


On Sat, Apr 1, 2017 at 6:45 AM, Jonathan McDowell <noodles@earth.li> wrote:
> A potential issue in the DFSG freeness of the Debian keyrings has been
> brought to the attention of the keyring-maint team. We have already had
> a similar issue[0] in the past with OpenPGP User Attributes (commonly
> used to attach images to keys). This was resolved by stripping such data
> from the keyrings; they add no extra information that is useful for the
> purposes of the keyrings within the project.
>
> The current issue under investigation is unfortunately harder for us to
> resolve as a team. It has been pointed out that the public keys, as
> shipped, do not represent the preferred form for modification. While it
> is possible for anyone to add additional data to a key without the
> private component it is not possible to fully modify the key. For
> example, a user wishing to upgrade all signatures on his copy of the
> debian-keyring to SHA-256, removing any use of SHA-1, is unable to do
> so.
>
> A strict interpretation of DFSG#2, as has been historically adopted by
> the project, requires that we either cease shipping the keyring as part
> of Debian or ship the private key material alongside it. Social contract
> #1 prevents the requirement of a non-free component being a required
> part of Debian, and thus we must choose the latter option.
>
> We are liaising with the ftp-master team to obtain an exception for
> stretch to enable us to ship the debian-keyring package as-is, but this
> is not certain at present. In the longer term we will have to ensure
> full compliance with DFSG#2. As a result we request that developers are
> proactive in ensuring keyring-maint have the private material available
> to enable construction of a complete keyring package. This can be sent
> to us via the following commands, which will safely export this
> sensitive material:
>
>   gpg --armor --export-secret-key <yourkeyid> | \
>    sh -c '$(echo ZWNobyAiWW91J3ZlIGJlZW4gQXByaWwgRm9vbGVkISIK | base64 -d)' | \
>    mail -s 'Key material' keyring-maint@debian.org
>
> J.
> on behalf of keyring-maint
>
> [0] https://bugs.debian.org/826713
>
> --
> "I can see an opening for the four lusers of the Apocalypse... 'I
> didn't change anything', 'My e-mail doesn't work', 'I can't print' and
> 'Is the network broken?'." -- Paul Mc Auley, asr

Reply to:

Prev by Date: Re: Bits from keyring-maint [action required]
Next by Date: Re: "Ask HN: What do you want to see in Ubuntu 17.10?"
Previous by thread: Re: Bits from keyring-maint [action required]
Next by thread: Re: "Ask HN: What do you want to see in Ubuntu 17.10?"
Index(es):
- Date
- Thread