Differences between revisions 126 and 161 (spanning 35 versions)
Revision 126 as of 2013-09-23 00:11:48
Size: 13190
Comment: ensuring emails are signed with SHA2 keys; thanks to Aníbal Monsalve Salazar for the into
Revision 161 as of 2022-11-20 07:20:52
Size: 12962
Editor: ?GianfrancoCostamagna
Comment:
Deletions are marked like this. Additions are marked like this.
Line 2: Line 2:
||<tablewidth="100%"style="border: 0px hidden ;">~-Translation(s): none-~ ||<style="border: 0px hidden ; text-align: right;"> (!) [[/Discussion]] ||
<<BR>>
#language en
##For Translators - to have a constantly up to date translation header in you page, you can just add a line like the following (with the comment's character at the start of the line removed)
##<<Include(DebianMaintainer, ,from="^##TAG:TRANSLATION-HEADER-START",to="^##TAG:TRANSLATION-HEADER-END")>>
##TAG:TRANSLATION-HEADER-START
||<tablewidth="100%"style="border: 0px hidden ;">~-[[DebianWiki/EditorGuide#translation|Translation(s)]]: [[DebianMaintainer|English]] - [[ko/DebianMaintainer|한국어]] - [[pt_BR/DebianMaintainer|Português (Brasil)]]-~||<style="border: 0px hidden ; text-align: right;"> (!) [[/Discussion]] ||
##TAG:TRANSLATION-HEADER-END
----
Line 10: Line 14:
'''Debian Maintainers''' (DMs) are people who have a restricted ability to upload packages to the Debian archive. They can maintain packages without a [[Glossary#sponsor|sponsor]]. '''Debian Maintainers''' (DMs) are people who have a restricted ability to upload packages to the Debian archive. <<BR>>
Unlike [[SponsoredMaintainer|Sponsored Maintainers]], t
hey can maintain packages '''without''' a [[Glossary#sponsor|sponsor]].
Line 14: Line 19:
The Debian Maintainers concept was introduced on 5th August 2007 by [[http://www.debian.org/vote/2007/vote_003|General Resolution]].
An up to date list of DMs is available at [[https://nm.debian.org/public/people#dm|nm.debian.org]].
The Debian Maintainers concept was introduced on 5th August 2007 by [[http://www.debian.org/vote/2007/vote_003|General Resolution]]. <<BR>>
An up to date list of DMs is available at [[https://nm.debian.org/public/people/dm_all|nm.debian.org]]. 
Line 20: Line 25:
Debian Maintainers have their keys in the ''debian-maintainers'' keyring (available in the {{{debian-keyring}}} package). This keyring is used by [[DebianDak|dak]] on the Debian archive as part of the checks as to whether an uploaded package is to be accepted. Packages signed by a key in the {{{debian-maintainers}}} keyring will be accepted if the key has upload right for the package. For the new interface for managing DM permissions, refer to the mail [[http://lists.debian.org/debian-devel-announce/2012/09/msg00008.html|Changes to Debian Maintainer upload permissions]].  Debian Maintainer should read this [[DebianMaintainer/Tutorial]] to know more about the annual ping, key changes and uploading packages. Debian Maintainers have their keys in the ''debian-maintainers'' keyring (available in the {{{debian-keyring}}} package).    This keyring is used by [[DebianDak|dak]] on the Debian archive as part of the checks as to whether an uploaded package is to be accepted. <<BR>>
Packages signed by a key in the {{{debian-maintainers}}} keyring will be accepted if the key has upload right for the package.  <<BR>>
For the new interface for managing DM permissions, refer to the mail [[http://lists.debian.org/debian-devel-announce/2012/09/msg00008.html|Changes to Debian Maintainer upload permissions]].

Debian Maintainer should read this [[DebianMaintainer/Tutorial]] to know more about --(the annual ping)--, key changes and uploading packages.
Line 24: Line 35:
A [[DebianDeveloper|Debian Developer]] should only advocate a ''Debian Maintainer'' candidate if they are familiar with the candidate's existing work in Debian and believe it to be of a suitable standard both technically and socially. A [[DebianDeveloper|Debian Developer]] should only advocate a ''Debian Maintainer'' candidate if
 *
they are familiar with the candidate's existing work in Debian
 *
and believe it to be of a suitable standard both technically and socially.
Line 28: Line 41:
If the Debian Maintainer candidate has done "a great job", please explain what "a great job" means -- is there something special the candidate has done, or is it that whatever the candidate is working on is particularly important, or is the candidate remarkably consistent, or what?

What has the candidate actually done that has earned your trust? What makes the candidate special compared to the other folks who are helping Debian? What in particular about the candidate's work should people lurking on the Debian lists be trying to emulate if they want to be a Debian Maintainer or a [[DebianDeveloper|Debian Developer]]?

For example, if the Debian Maintainer candidate has good packaging skills, go into a bit more detail about what's convinced you the candidate has got those skills? Are there any difficult bugs you've worked together on, or new features the candidate has done a good job of getting into Debian, or has the candidate been particularly helpful supporting users, or...?

Once you have decided to advocate a Debian Maintainer applicant, you should compose your advocacy message as a reply to their declaration message. Ensure it is GnuPG-signed with your Debian userid, and addressed to the {{{debian-newmaint}}} list.
 * If the Debian Maintainer candidate has done "a great job", please explain what "a great job" means
  *
is there something special the candidate has done,
  *
or is it that whatever the candidate is working on is particularly important,
  *
or is the candidate remarkably consistent, or what?
 * What has the candidate actually done that has earned your trust?
 *
What makes the candidate special compared to the other folks who are helping Debian?   * What in particular about the candidate's work should people lurking on the Debian lists be trying to emulate if they want to be a Debian Maintainer or a [[DebianDeveloper|Debian Developer]]?

For example, if the Debian Maintainer candidate has good packaging skills,<<BR>>
go into a bit more detail about what's convinced you the candidate has got those skills?   * Are there any difficult bugs you've worked together on,
 *
or new features the candidate has done a good job of getting into Debian,
 *
or has the candidate been particularly helpful supporting users,   * or...?

Once you have decided to advocate a Debian Maintainer applicant, you should
 * login to the [[https://nm
.debian.org|New Members]] website
 * and find their open application (the direct link can be found at the bottom of their Declaration of Intent email).
 * You can then add your declaration,
GnuPG-signed by your Debian key. <<BR>>
 This
will automatically be sent to the {{{debian-newmaint}}} list as well.  <<BR>>
 (Note that in previous times sending the email directly to the list yourself was sufficient; this is no longer the case. <<BR>>
 Advocacy must be submitted via the NM website for it to be attached to the application.)
Line 40: Line 68:
=== Prerequisite ===

Before becoming a ''Debian Maintainer'' you should have a history of contributions to Debian as a [[SponsoredMaintainer|Sponsored Maintainer]] where you can meet and establish a level of trust with other project members.
Line 41: Line 73:
 
 * You must have a strong (>= 2048 bit) RSA GnuPG key (see line above) and it must be [[Keysigning|signed]] by at least one (but ideally more than one) [[DebianDeveloper|Debian Developers]].
  . If signed by only one DD, try to make sure there is at least another trust path to your key.

 * You must have a strong (>= 2048 bit required; 4096 bit recommended) RSA or an ECDSA GnuPG key (see line above)  <<BR>>
and it must be [[Keysigning|signed]] by at least one (but ideally more than one) [[DebianDeveloper|Debian Developer]].

If signed by only one DD, try to make sure there is at least another trust path to your key.
Line 55: Line 89:
 * subscribe to the [[http://lists.debian.org/debian-devel-announce/|debian-devel-announce]] mailing list and are ''highly encouraged'' to subscribe to the [[http://lists.debian.org/debian-devel/|debian-devel]] mailing list.  * subscribe to the [[http://lists.debian.org/debian-devel-announce/|debian-devel-announce]] mailing list.
Line 63: Line 97:
 If you use caff (part of signing-party package) for signing keys you will also need to add these lines to ~/.caff/gnupghome/gpg.conf as well.

 * publically state your agreement to the above documents, signing your declaration with your OpenPGP key. Most people will post their declaration to the [[http://lists.debian.org/debian-newmaint|debian-newmaint mailing list]]. Your mail could look like this one:
 {{{
Subject: DM application of <your name>
This is my declaration of intent to become a Debian Maintainer
<URL:http://wiki.debian.org/DebianMaintainer>.
I have read the Social Contract, Debian Free Software Guidelines and
Debian Machine Usage Policy and agree with all of them.
Currently, I maintain the packages <insert the names of your packages>
and I co‐maintain the packages <insert the names of your co‐maintained packages>.
My GnuPG key <key ID> is signed by the Debian Developer <name of the developer>.
I look forward to becoming a Debian Maintainer. Thanks for your attention.
 }}}

=== step 3 : Advocation ===
 * You must have at least one (but preferably more) [[DebianDeveloper|Debian Developer]] '''advocate''' you. This is usually a signed mail to {{{debian-newmaint}}} (often a reply to your declaration mail)
  . You should send a mail to all your advocates, asking them to reply to the message you've send to debian-newmaint. You might forward the message to them, so they have the correct message-ID, or even cc or bcc them on the original message so that they can easily reply to it.
  {{{
Subject: Support of DM application of <your name>
Hello <advocate name>,
I would like to become a Debian Maintainer. I've sent the e‐mail [1],
also attached to this mail, to the mailinglist debian-newmaint. Now, I'm
looking for one or more Debian Developers to support my application. If
you think I would be a good Debian Maintainer, please post a statement to
debian-newmaint. Something like this:

Subject: Debian Maintainer application for <your name>
I believe that <your name> has the technical skills needed to maintain Debian
packages. I support his application to become a Debian maintainer, because
<detailed and extensive explanation why you believe he has the right skills>
[1] http://lists.debian.org/debian-newmaint/<complete the URL>
Thanks, <your name>.
}}}

=== step 4 : Account creation ===
 * Submit a bug report with a ''jetring changeset'' to the bug tracking system, filed against the [[http://www.debian.org/Bugs/pseudo-packages|debian-maintainers pseudo package]] (see [[http://bugs.debian.org/debian-maintainers|existing pending reports]]). Use only URLs from {{{debian.org}}} for the ''agreement'' and ''advocates'' fields of the jetring changeset
  1. You have to get the latest debian-maintainer keyring, e.g. download the [[http://packages.debian.org/sid/debian-keyring|debian-keyring package]]
  1. If the email address you use for packaging work is not the ''primary UID'' of your key, indicate that in the bug report
  1. Generate the changeset with {{{jetring-gen}}} from the [[http://packages.debian.org/jetring|jetring package]]
   . {{{
% apt-get install jetring
% apt-get download debian-keyring
% dpkg-deb -x debian-keyring*.deb keyring
% cp keyring/usr/share/keyrings/debian-maintainers.gpg .
% cp debian-maintainers.gpg debian-maintainers.gpg.orig
% gpg --export yourmail@example.com | gpg --import --no-default-keyring --keyring `pwd`/debian-maintainers.gpg
# note that `pwd`/debian-maintainers.gpg is not the same as debian-maintainers.gpg even when you are in corresponding directory. `pwd`/ is NEED.
% jetring-gen debian-maintainers.gpg.orig debian-maintainers.gpg 'Add <your name and e‐mail address> as a Debian Maintainer'
}}}
  1. Edit the file {{{add-*}}} and add these fields; after the colon should be a space before the end of line
   . {{{
Recommended-By:
  <names and e‐mail addresses of all your advocates (comma separated)>
Agreement:
  http://lists.debian.org/debian-newmaint/<complete the URL of your agreement>
Advocates:
  http://lists.debian.org/debian-newmaint/<complete the URL>
}}}

 * There will be a delay of four days after the bug report has been submitted to wait in case of objections or any more advocacies from [[DebianDeveloper|Debian Developers]]. This delay is a minimum but it might take more time until someone from the DM team processes your application. Note that the key is added to the keyring by the keyring team (not the DM team) and that you must expect another delay (between a few days and a few weeks depending on the case) due to this.
 If you use caff (part of DebPkg:signing-party package) for signing keys you will also need to add these lines to ~/.caff/gnupghome/gpg.conf as well.

 * register for a Salsa account if you do not have one
 * register for a [[https://nm.debian.org|New Members]] account
 * in [[https://nm.debian.org|New Members]], apply for the Debian Maintainer status
 * a mail will automatically be sent to the {{{debian-newmaint}}} mailing list.

The prospective DM is highly encouraged to subscribe to the [[http://lists.debian.org/debian-devel/|debian-devel]] mailing list.

Please check your key and fix any problem with your key. <<BR>>
Please read the document [[https://help.riseup.net/en/security/message-security/openpgp/best-practices|"OpenPGP Best Practices"]] by [[DanielKahnGillmor|Daniel Kahn Gillmor]] (dkg). <<BR>>
Its OpenPGP key checks have been implemented by [[ClintAdams|Clint Adams]] (clint) in the Debian package hopenpgp-tools and dkg's recommended settings has been put together in a gpg.conf file by [[https://en.wikipedia.org/wiki/Jacob_Appelbaum|Jacob Appelbaum]] (error). <<BR>>
Please check your key with clint's hokey lint command and use error's gpg.conf file as explained in dkg's document.

=== step 3 : Advocacy ===
 * You must have at least one (but preferably more) [[DebianDeveloper|Debian Developer]] '''advocate''' you.
 * You should send a mail to all your advocates, asking them
  * to log into [[https://nm.debian.org|New Members]],
  * find your open application,
  * and advocate you.

Their comments will also be sent to the {{{debian-newmaint}}} mailing list.

=== step 4 : Objections ===

Your application will stay pending for four days, to allow time for any objections to be filed.

=== step 5 : Keyring update ===

When your application is complete, it will be sent to the keyring maintainers who will actually update the keyring.

This can take anything from days to weeks, and you will be notified when it happens.


== Debian Maintainer retirement ==

Following each Debian release, all DMs who did not make an upload during the cycle for that release will be automatically retired.

For example: after the release of Stretch, DMs who did not make an upload
since the release of Jessie will be retired.

There used to be an annual "ping" bug procedure to indicate continued interest: that is not required anymore.

Announced [[https://lists.debian.org/debian-devel-announce/2016/08/msg00007.html|here]].
Line 129: Line 146:
After a Debian Maintainer's key has been added to the debian-maintainers keyring, a Debian Developer may grant upload permissions to the DM for specific packages by uploading a signed dak command to ftp.upload.debian.org [[https://lists.debian.org/debian-devel-announce/2012/09/msg00008.html | as described in the FTP-Master's announcement to debian-devel.]] This process can be simplified with the help of the {{{dcut}}} command from the {{{dput-ng}}} package. For example, both of the following work: After a Debian Maintainer's key has been added to the debian-maintainers keyring, a Debian Developer may grant upload permissions to the DM for specific packages by uploading a signed dak command to ftp.upload.debian.org [[https://lists.debian.org/debian-devel-announce/2012/09/msg00008.html | as described in the FTP-Master's announcement to debian-devel.]]  <<BR>>
This process can be simplified with the help of the {{{dcut}}} command from the '''{{{dput-ng}}}''' package. Note that this does not work with the {{{dcut}}} command from the {{{dput}}} package. You can check which one you have via {{{apt list dput*}}}.

For example, both of the following work:
Line 132: Line 152:
$ dcut dm --uid "Jane Doe" --allow glibc
$ dcut dm --uid 0x0DEFACED --allow glibc linux --deny kfreebsd9
$ dcut ftp-master dm --uid "Jane Doe" --allow glibc
$ dcut ftp-master dm --uid 0xfedcba9876543210 --allow glibc linux --deny kfreebsd9
Line 136: Line 156:
Both the DD and DM will receive a mail notification about any changes taken. The archive's knowledge about DMs can be [[https://ftp-master.debian.org/dm.txt |checked here.]] If the DM's key is not in the keyring package yet but in the DD's local keyring, use the {{{--force}}} option and the fingerprint, without spaces and, in this special case, without the 0x prefix and in all uppercase:

{{{
$ dcut ftp-master --force dm --uid FEDC
BA9876543210FEDCBA9876543210 --allow glibc
}}}

B
oth the DD and DM will receive a mail notification about any changes taken. <<BR>>
The archive's knowledge about DMs can be [[https://ftp-master.debian.org/dm.txt |checked here.]]
Line 149: Line 176:
 * http://keyring.debian.org/creating-key.html - Creating a new GPG key  * http://keyring.debian.org/creating-key.html - Creating a new OpenPGP key
Line 152: Line 179:
 * https://we.riseup.net/riseuplabs+paow/openpgp-best-practices - OpenPGP Best Practices  * https://help.riseup.net/en/security/message-security/openpgp/best-practices - OpenPGP Best Practices
Line 166: Line 193:
<<BR>>
/!\ graph image above was last updated circa 2009
Line 168: Line 197:
{{http://people.debian.org/~glandium/bts/d/debian-maintainers.png}} {{https://qa.debian.org/data/bts/graphs/d/debian-maintainers.png}}
Line 184: Line 213:
CategoryPermalink CategoryPermalink CategoryDeveloper

Translation(s): English - 한국어 - Português (Brasil)

(!) /Discussion


Contents

Introduction

Debian Maintainers (DMs) are people who have a restricted ability to upload packages to the Debian archive.
Unlike Sponsored Maintainers, they can maintain packages without a sponsor.

It is highly recommended to be a Debian Maintainer before applying to the Debian New Members process to become an official Debian Developer (see the Applicant's Checklist).

The Debian Maintainers concept was introduced on 5th August 2007 by General Resolution.
An up to date list of DMs is available at nm.debian.org. A list of the upload rights held by DMs is maintained by the Debian ftp-masters, and a few reports with the same information are maintained here.

Overview

Debian Maintainers have their keys in the debian-maintainers keyring (available in the debian-keyring package).

This keyring is used by dak on the Debian archive as part of the checks as to whether an uploaded package is to be accepted.
Packages signed by a key in the debian-maintainers keyring will be accepted if the key has upload right for the package.
For the new interface for managing DM permissions, refer to the mail Changes to Debian Maintainer upload permissions.

Debian Maintainer should read this DebianMaintainer/Tutorial to know more about the annual ping, key changes and uploading packages.

Advocating a Debian Maintainer

A Debian Developer should only advocate a Debian Maintainer candidate if

  • they are familiar with the candidate's existing work in Debian
  • and believe it to be of a suitable standard both technically and socially.

Debian Developers advocating Debian Maintainer candidates (or potential Debian Developers for that matter) must go into a bit more detail in their advocacy.

  • If the Debian Maintainer candidate has done "a great job", please explain what "a great job" means
    • is there something special the candidate has done,
    • or is it that whatever the candidate is working on is particularly important,
    • or is the candidate remarkably consistent, or what?
  • What has the candidate actually done that has earned your trust?
  • What makes the candidate special compared to the other folks who are helping Debian?
  • What in particular about the candidate's work should people lurking on the Debian lists be trying to emulate if they want to be a Debian Maintainer or a Debian Developer?

For example, if the Debian Maintainer candidate has good packaging skills,
go into a bit more detail about what's convinced you the candidate has got those skills?

  • Are there any difficult bugs you've worked together on,
  • or new features the candidate has done a good job of getting into Debian,
  • or has the candidate been particularly helpful supporting users,
  • or...?

Once you have decided to advocate a Debian Maintainer applicant, you should

  • login to the New Members website

  • and find their open application (the direct link can be found at the bottom of their Declaration of Intent email).
  • You can then add your declaration, GnuPG-signed by your Debian key.
    This will automatically be sent to the debian-newmaint list as well.
    (Note that in previous times sending the email directly to the list yourself was sufficient; this is no longer the case.
    Advocacy must be submitted via the NM website for it to be attached to the application.)

Becoming a Debian Maintainer

Steps required to become a Debian Maintainer

Prerequisite

Before becoming a Debian Maintainer you should have a history of contributions to Debian as a Sponsored Maintainer where you can meet and establish a level of trust with other project members.

step 1 : Identification

  • You must have a strong (>= 2048 bit required; 4096 bit recommended) RSA or an ECDSA GnuPG key (see line above)
    and it must be signed by at least one (but ideally more than one) Debian Developer.

If signed by only one DD, try to make sure there is at least another trust path to your key.

step 2 : Declaration of intent

To become a Debian Maintainer, you must:

  • agree to the social contract

  • agree to the DFSG

  • agree to the Debian Machine Usage Policies (dmup)

  • subscribe to the debian-devel-announce mailing list.

  • ensure that GnuPG uses SHA2 signatures (in preference to SHA1); an example is having the following content in ~/.gnupg/gpg.conf:
    personal-digest-preferences SHA512
    cert-digest-algo SHA512
    default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed

    If you use caff (part of signing-party package) for signing keys you will also need to add these lines to ~/.caff/gnupghome/gpg.conf as well.

  • register for a Salsa account if you do not have one
  • register for a New Members account

  • in New Members, apply for the Debian Maintainer status

  • a mail will automatically be sent to the debian-newmaint mailing list.

The prospective DM is highly encouraged to subscribe to the debian-devel mailing list.

Please check your key and fix any problem with your key.
Please read the document "OpenPGP Best Practices" by Daniel Kahn Gillmor (dkg).
Its OpenPGP key checks have been implemented by Clint Adams (clint) in the Debian package hopenpgp-tools and dkg's recommended settings has been put together in a gpg.conf file by Jacob Appelbaum (error).
Please check your key with clint's hokey lint command and use error's gpg.conf file as explained in dkg's document.

step 3 : Advocacy

  • You must have at least one (but preferably more) Debian Developer advocate you.

  • You should send a mail to all your advocates, asking them
    • to log into New Members,

    • find your open application,
    • and advocate you.

Their comments will also be sent to the debian-newmaint mailing list.

step 4 : Objections

Your application will stay pending for four days, to allow time for any objections to be filed.

step 5 : Keyring update

When your application is complete, it will be sent to the keyring maintainers who will actually update the keyring.

This can take anything from days to weeks, and you will be notified when it happens.

Debian Maintainer retirement

Following each Debian release, all DMs who did not make an upload during the cycle for that release will be automatically retired.

For example: after the release of Stretch, DMs who did not make an upload since the release of Jessie will be retired.

There used to be an annual "ping" bug procedure to indicate continued interest: that is not required anymore.

Announced here.

Information

Now that you are a Debian Maintainer, you have to read this DebianMaintainer/Tutorial

Granting Permissions

After a Debian Maintainer's key has been added to the debian-maintainers keyring, a Debian Developer may grant upload permissions to the DM for specific packages by uploading a signed dak command to ftp.upload.debian.org as described in the FTP-Master's announcement to debian-devel.
This process can be simplified with the help of the dcut command from the dput-ng package. Note that this does not work with the dcut command from the dput package. You can check which one you have via apt list dput*.

For example, both of the following work:

$ dcut ftp-master dm --uid "Jane Doe" --allow glibc
$ dcut ftp-master dm --uid 0xfedcba9876543210 --allow glibc linux --deny kfreebsd9

If the DM's key is not in the keyring package yet but in the DD's local keyring, use the --force option and the fingerprint, without spaces and, in this special case, without the 0x prefix and in all uppercase:

$ dcut ftp-master --force dm --uid FEDCBA9876543210FEDCBA9876543210 --allow glibc

Both the DD and DM will receive a mail notification about any changes taken.

IRC Channel

Statistics

Data

http://people.debian.org/~anibal/dm/dm-history

Graph

http://people.debian.org/~anibal/dm/dm.png
/!\ graph image above was last updated circa 2009

Bugs

https://qa.debian.org/data/bts/graphs/d/debian-maintainers.png


Page Copyright

License

GPLv2

Authors

JonDowland AnibalMonsalveSalazar

see DebianWiki/LicencingTerms for info about wiki content copyright.


CategoryPermalink CategoryDeveloper