Differences between revisions 2 and 3
Revision 2 as of 2009-03-16 03:30:24
Size: 783
Editor: anonymous
Comment: converted to 1.6 markup
Revision 3 as of 2015-12-20 12:32:54
Size: 2573
Comment: added some detail, linking to the team, mention the package
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
## Auto-converted by kwiki2moinmoin v2005-10-07 All work in Debian is performed by developers that can be identified. For those using Debian to be able to trust Debian, we feel it is important that our users can identify those that are working on the project and that development is as transparent as is possible.
Line 3: Line 3:
keyring.debian.org When joining the Debian project, developers need to identify themselves by providing an OpenPGP key that is signed by at least two existing members of the project. Contributions to the Debian archive are cryptographically signed using the developer's OpenPGP key to protect against forgeries.
Line 5: Line 5:
This public key server provides simple HKP lookup and add requests for Debian developer public keys. The '''Debian Keyring''' is the keyring that contains those OpenPGP keys which belong to Debian Developers, those with unrestricted upload privileges to the Debian archives.

As the Debian Project has evolved, two other keyrings have been created to manage the keys for those members of the project that are "non-uploading", that is they do not have privileges to upload to the archives but are in every other way full members of the project, and those of Debian Maintainers, developers that are not yet members of the project but have been granted limited upload privileges.

These keyrings are maintained by the [[Teams/KeyringMaint|keyring-maint]] team.

= Obtaining Keys =

== Via the Debian Archive ==

The keyrings maintained by the keyring-maint team are packaged in Debian as [[DebianPkg:debian-keyring]]. This package is often not the most up to date version of the keyring, though it can be a good way to bootstrap trust if you trust the media you installed Debian from as the package will be verified using GnuPG when it is downloaded and installed. The installed keyrings are placed in /usr/share/keyrings.

== Via HKP ==

The public key server at keyring.debian.org provides simple HKP lookup and add requests for Debian developer public keys.
Line 11: Line 25:
Debian keys may also be retrieved by using the form at db.debian.org or:
finger user@db.debian.org
Note that updates through this server will not be immediately reflected in the keys returned by those mechanisms.
Line 14: Line 27:
Note that updates through this server will not be immediately reflected in the keys returned by those mechanisms. == Via db.debian.org ==

Debian keys may also be retrieved by using the web form at [[https://db.debian.org/|db.debian.org]] or by using finger (from the [[DebianPkg:finger]] package):

{{{
$ finger user@db.debian.org
}}}

All work in Debian is performed by developers that can be identified. For those using Debian to be able to trust Debian, we feel it is important that our users can identify those that are working on the project and that development is as transparent as is possible.

When joining the Debian project, developers need to identify themselves by providing an OpenPGP key that is signed by at least two existing members of the project. Contributions to the Debian archive are cryptographically signed using the developer's OpenPGP key to protect against forgeries.

The Debian Keyring is the keyring that contains those OpenPGP keys which belong to Debian Developers, those with unrestricted upload privileges to the Debian archives.

As the Debian Project has evolved, two other keyrings have been created to manage the keys for those members of the project that are "non-uploading", that is they do not have privileges to upload to the archives but are in every other way full members of the project, and those of Debian Maintainers, developers that are not yet members of the project but have been granted limited upload privileges.

These keyrings are maintained by the keyring-maint team.

Obtaining Keys

Via the Debian Archive

The keyrings maintained by the keyring-maint team are packaged in Debian as debian-keyring. This package is often not the most up to date version of the keyring, though it can be a good way to bootstrap trust if you trust the media you installed Debian from as the package will be verified using GnuPG when it is downloaded and installed. The installed keyrings are placed in /usr/share/keyrings.

Via HKP

The public key server at keyring.debian.org provides simple HKP lookup and add requests for Debian developer public keys.

The server may be accessed with gpg by using the --keyserver option in combination with either of the --recv-keys or --send-keys actions.

Only keys in the Debian keyrings will be returned by this server and only pre-existing keys will be updated, although a copy of all updates will be forwarded to a keyserver network. The keyrings are also periodically updated from that network.

Note that updates through this server will not be immediately reflected in the keys returned by those mechanisms.

Via db.debian.org

Debian keys may also be retrieved by using the web form at db.debian.org or by using finger (from the finger package):

$ finger user@db.debian.org