Bug#317411: marked as done ("type 4" GnuPG (gpg) key not clear)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sun, 09 Apr 2006 10:47:09 -0700
with message-id <E1FSe0D-00075R-1x@spohr.debian.org>
and subject line Bug#317411: fixed in developers-reference 3.3.7
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: "type 4" GnuPG (gpg) key not clear
• From: Martin Michlmayr <tbm@cyrius.com>
• Date: Fri, 8 Jul 2005 12:06:26 +0200
• Message-id: <20050708100626.GB29949@deprecation.cyrius.com>

Package: developers-reference
Severtiy: minor

Obviously, the paragraph talking about "type 4" GPG keys is not clear.
Please explain what "type 4" means exactly.



----- Forwarded message from Erick Vresnev Castellanos Hernández <vresnev@gmail.com> -----

From: Erick Vresnev Castellanos Hernández <vresnev@gmail.com>
Reply-To: Erick Vresnev Castellanos Hernández <vresnev@gmail.com>
Subject: Preferred way to genereate a gpg key?
Date: Fri, 24 Jun 2005 18:39:43 -0500
To: debian-devel@lists.debian.org

While I was reading Developer's Reference [1], in the part about gpg
keys, it says:

"You need a type 4 key for use in Debian Development. Your key length [...]"

I supposed that it refers about the "gpg --gen-key" command, and the
options that result from executing it. Also I remember that, *in the
past*, it was a "4" option which was something about ElGamal sign and
encryption, or something like that. But now, in the Sarge's version of
gpg, there is only option 1,2, and 5.

So, I ask: now what is the preferred way to generete a gpg key to
become a debian developer? The "4" expression, and my interpretation,
in that paragraph is it correct?

Just want to know. And if it is a bug, I hope somebody could change it
to avoid confusion.

Thanks.

Erick.



[1] http://www.debian.org/doc/packaging-manuals/developers-reference/ch-new-maintainer.en.html


-- 
"Libertad es aún la idea más radical de todas."
---Nathaniel Branden

----- End forwarded message -----
----- Forwarded message from "Brian M. Carlson" <sandals@crustytoothpaste.ath.cx> -----

From: "Brian M. Carlson" <sandals@crustytoothpaste.ath.cx>
Subject: Re: Preferred way to genereate a gpg key?
Date: Sat, 25 Jun 2005 01:03:20 +0000
To: debian-devel@lists.debian.org
X-Mailer: Evolution 2.2.2 

On Fri, 2005-06-24 at 18:39 -0500, Erick Vresnev Castellanos Hernández
wrote:
> While I was reading Developer's Reference [1], in the part about gpg
> keys, it says:
> 
> "You need a type 4 key for use in Debian Development. Your key length [...]"
> 
> I supposed that it refers about the "gpg --gen-key" command, and the
> options that result from executing it. Also I remember that, *in the
> past*, it was a "4" option which was something about ElGamal sign and
> encryption, or something like that. But now, in the Sarge's version of
> gpg, there is only option 1,2, and 5.

You probably want option 1, the default.  The "type 4" refers to key
version.  The only version of key that GnuPG is capable of generating is
version 4, so there should be no problems.  The old versions (versions 2
and 3, which are otherwise identical) are generated by PGP 2.3.x and
2.6.x, respectively.

The Elgamal sign and encrypt has been removed from the proposed new
standard, because it is very hard to make secure, and GnuPG made a
mistake in doing so.

> So, I ask: now what is the preferred way to generete a gpg key to
> become a debian developer? The "4" expression, and my interpretation,
> in that paragraph is it correct?

Again, you probably want option 1.  Your interpretation is probably very
common, just not correct.

> Just want to know. And if it is a bug, I hope somebody could change it
> to avoid confusion.

You are correct; it probably should be fixed.

Furthermore, my suggestion is that if you own a PC or other fast
i386-type machine, that you should use that, as opposed to a PowerPC or
Sparc, because i386s gain entropy faster in my experience, and you need
a lot of entropy.  Just a suggestion; it is not required.

-- 
($_,$a)=split/\t/,join'',map{unpack'u',$_}<DATA>;eval$a;print;__DATA__
M961H<F$@8FAM;"!U<F%O<G-U(#QU<F%O<G-U0&=D:75M<&UC8VUL=G)U;6LN
M<FUL+F=Y/@H)>2QA8F-D969G:&EJ:VQM;F]P<7)S='5V=WAY>BQN=V]R8FMC
5:75Q96AT9V1Y>F%L=G-P;6IX9BP)




----- End forwarded message -----

-- 
Martin Michlmayr
http://www.cyrius.com/

--- End Message ---

--- Begin Message ---

• To: 317411-close@bugs.debian.org
• Subject: Bug#317411: fixed in developers-reference 3.3.7
• From: Andreas Barth <aba@not.so.argh.org>
• Date: Sun, 09 Apr 2006 10:47:09 -0700
• Message-id: <E1FSe0D-00075R-1x@spohr.debian.org>

Source: developers-reference
Source-Version: 3.3.7

We believe that the bug you reported is fixed in the latest version of
developers-reference, which is due to be installed in the Debian FTP archive:

developers-reference-fr_3.3.7_all.deb
  to pool/main/d/developers-reference/developers-reference-fr_3.3.7_all.deb
developers-reference_3.3.7.dsc
  to pool/main/d/developers-reference/developers-reference_3.3.7.dsc
developers-reference_3.3.7.tar.gz
  to pool/main/d/developers-reference/developers-reference_3.3.7.tar.gz
developers-reference_3.3.7_all.deb
  to pool/main/d/developers-reference/developers-reference_3.3.7_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 317411@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andreas Barth <aba@not.so.argh.org> (supplier of updated developers-reference package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 09 Apr 2006 11:31:52 -0600
Source: developers-reference
Binary: developers-reference-fr developers-reference
Architecture: source all
Version: 3.3.7
Distribution: unstable
Urgency: low
Maintainer: Debian Documentation Project <debian-doc@lists.debian.org>
Changed-By: Andreas Barth <aba@not.so.argh.org>
Description: 
 developers-reference - guidelines and information for Debian developers
 developers-reference-fr - guidelines and information for Debian developers, in French
Closes: 295483 297069 298016 299217 302000 305947 306120 306630 308103 309502 317411 320981 326857 327682 334820 336146 338660 339826 340024 341195 341197 341568 344303 347229 348160 349493 351255 351944 352749 353447
Changes: 
 developers-reference (3.3.7) unstable; urgency=low
 .
   * Andreas Barth:
     - adjust information about distributions with reality.
     - add note on alioth accounts. Thanks, Phillip Kern. Closes: #306630
     - correct manpage section of dpkg-scanpackages. Closes: #297069
     - fix RFC 2440 URL. Closes: #308103
     - add $arch@buildd information. Closes: #295483
     - link to keyring.d.o for key replacement. Thanks, Martin Michlmayr.
       Closes: #298016
     - add information about Packages-arch-specific. Thanks, Frank Küster.
       Closes: #302000
     - add hint about LWN subscription. Thanks, Martin Michlmayr.
       Closes: #299217
     - more about debconf-style translation. Thanks, Christian Perrier.
       Closes: #309502
     - non-us discontinued.
     - document nmu changes wrt version tracking. Thanks, Justin Pryzby.
       Closes: #341197
     - fix spelling issues. Thanks to various people.
       Closes: #336146, #326857, #338660
     - update menu policy helpers. Thanks, Florian Ernst. Closes: #340024
     - send mia-mail to mia@qa. Thanks, Adam D. Barratt. Closes: #341568
     - Joerg Jaspert is now freenode contact. Closes: #344303
     - give a clearer description of the gpg v4-key issues. Thanks,
       Martin Michlmayr and Peter Palfrader. Closes: #317411
     - more verbose about Homepage. Closes: #339826
     - add sarge and etch. Closes: #327682
     - document severity of RoM-request bugs. Closes: #305947
     - update FSF address. Closes: #334820
     - fix P-a-s link. Closes: #341195
     - reflect binNMU changes. Closes: #349493
     - new security upload queue. Closes: #352749
     - fix experimental's sources.list entry. Closes: #347229
     - remove deprecated "Closes:..." to ACK NMU bug fixes. Closes: #353447
     - when resigning, gpg-sign your mail. Closes: #348160
     - make pristine source and repackaged origtargz anchors work.
       Closes: #351255
     - same number of RC bugs is ok. Closes: #351944
     - dpkg-source doesn't keep permissions. Thanks, Enrico Zini.
       Closes: #306120
     - also mention aspell. Closes: #320981
 .
   * Frédéric Bothamy
     - French translation updated to version 3.3.7, proofread by Bernard Adrian
Files: 
 1fa3306d313ef71c320b29fc65de5a73 687 doc optional developers-reference_3.3.7.dsc
 a5ebba2123818aa47c897654ac1352c0 272598 doc optional developers-reference_3.3.7.tar.gz
 075ee8db80660b21d2d1b51ca29e79c4 589522 doc optional developers-reference_3.3.7_all.deb
 43eeb36aeb4ed2ff90bf3d2934867239 231352 doc optional developers-reference-fr_3.3.7_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFEOUZDmdOZoew2oYURAurBAKCxZGWku01W9/y4hgoovvanK/0S4ACdHkMA
U767wyMyp3Imd76flAehRNs=
=2Xb4
-----END PGP SIGNATURE-----

--- End Message ---