New Debian Maintainer Tutorial

Key Changes

The debian-maintainers keyring is updated with a new version of the debian-keyring package. Its keys are not kept in sync with the keyservers. All changes to the debian-maintainers keyring are done with jetring changesets.

Annual ping

Debian Maintainers must reconfirm their interest annually to keep their keys in the debian-maintainers keyring by filing a signed bug report against the debian-maintainers pseudo package.

Key replacement/removal

File a signed bug report with a jetring changeset against the debian-maintainers pseudo package to replace/update an existing key or remove a key from the debian-maintainers keyring. If you are replacing a key with an entirely new key (rather than just updating the expiry date or subkeys) you should read the following rules (taken from the rules for key replacement in the debian-developers keyring).

Rules for key replacement in the Debian Maintainers keyring

These are the rules governing what happens if a Debian Maintainer (Alice) wishes to replace her existing key (X) in the debian-maintainer keyring with an entirely new key (Y).

Please note that this procedure is to be followed by Debian Maintainers only – For Debian Developers, please create a RT ticket as explained in the Debian keyring update information page.

  1. Key Y must be signed by an active Debian Developer (Bob) whose key is in the debian-developers keyring.
  2. Alice files a signed bug report with a jetring changeset to the bug tracking system against the debian-maintainers pseudo package.

  3. Alice must get a Debian Developer (ideally not Bob) to sign a message requesting the replacement of key X with key Y on behalf of Alice. That statement should contain the key fingerprints of both keys X and Y and must be posted as a follow up to the bug report filed by Alice.
  4. If the reason for replacement is 'key X is compromised or no longer valid' then the request for replacement must be accompanied by a revocation certificate for key X.
  5. If the reason for the replacement is 'key X was lost' then a revocation certificate should be provided if possible.
  6. If the reason is 'I wanted a new key' then the new key must be strictly more secure than the old key and 'reasonably' connected where 'reasonably' is left up to the debian-maintainers keyring administrator and varies depending on the circumstances of the Debian Maintainer in question.
  7. Anything else is at the debian-maintainers keyring administrator's discretion and, in general, arbitrary key replacements without good cause will be rejected.

Uploading packages

Once you have your key in the debian-maintainers keyring, you will be able to upload packages, where the following conditions hold:

The DM-Upload-Allowed: yes control field should be set by the sponsor (or by the sponsoree after a request from the sponsor), not silently added by the sponsoree without coordination with the usual sponsor. The field should only added to a source package after the sponsor is satisfied with the sponsoree's ability to handle that specific package, usually this happens after several good-quality uploads.

There is a DebianMaintainer/Tutorial for new maintainers.

dpkg caveat : Until recently dpkg did not understand the DM-Upload-Allowed field and would not add it to the DSC. You need to either have dpkg version >= 1.14.16 (you should use the most up to date tool versions anyway ;-)) or prefix it with 'XS-' for it to make it into the DSC file.

This tutorial explains how a DebianMaintainer (DM) would upload to Debian, it assumes that one is already familiar with tools like debsign & dput.

[ftp-master]
fqdn                    = ftp.upload.debian.org
incoming                = /pub/UploadQueue/
login                   = anonymous
allow_dcut              = 1
method                  = ftp

# http://lists.debian.org/debian-project/2009/05/msg00036.html
[ftp-eu]
fqdn                    = ftp.eu.upload.debian.org
method                  = ftp
incoming                = /pub/UploadQueue/
login                   = anonymous
allow_dcut              = 1