Debian Maintainers are people who are not full developers but have a restricted ability to upload packages to the Debian archive.
The Debian Maintainers concept was introduced on 5th August 2007 by [http://www.debian.org/vote/2007/vote_003 General Resolution].
Debian Maintainers have their keys in the debian-maintainers keyring (available in the debian-maintainers package).
This keyring is used by dak on the Debian archive as part of the checks as to whether an uploaded package is to be accepted.
Packages signed by a key in the debian-maintainers keyring will be accepted if the package is not new and the previous version of the package contains the maintainer in the Maintainer or the Uploaders control fields and has the DM-Upload-Allowed control field present.
Advocating a Maintainer
A Debian Developer should only advocate a Debian Maintainer candidate if they are familiar with the candidate's existing work in Debian and believe it to be of a suitable standard both technically and socially.
Debian Developers advocating Debian Maintainer candidates (or potential Debian Developers for that matter) must go into a bit more detail in their advocacy.
If the Debian Maintainer candidate has done "a great job", please explain what "a great job" means -- is there something special the candidate has done, or is it that whatever the candidate is working on is particularly important, or is the candidate remarkably consistent, or what?
What has the candidate actually done that has earnt your trust? What makes the candidate special compared to the other folks who are helping Debian? What in particular about the candidate's work should people lurking on the Debian lists be trying to emulate if they want to be a Debian Maintainer or a Debian Developer?
For example, if the Debian Maintainer candidate has good packaging skills, go into a bit more detail about what's convinced you the candidate has got those skills? Are there any difficult bugs you've worked together on, or new features the candidate has done a good job of getting into Debian, or has the candidate been particularly helpful supporting users, or...?
Once you have decided to advocate a Debian Maintainer applicant, you should compose your advocacy message as a reply to their declaration message. Ensure it is GnuPG-signed with your Debian userid, and addressed to the debian-newmaint list.
Becoming a Maintainer
To become a Debian Maintainer, you must:
agree to the [http://www.debian.org/social_contract social contract]
agree to the [http://www.debian.org/social_contract#guidelines DFSG]
agree to the [http://www.debian.org/devel/dmup Debian Machine Usage Policies] (dmup)
publically state your agreement to the above documents, signing your declaration with your OpenPGP key. Most people will post their declaration to the [http://lists.debian.org/debian-newmaint debian-newmaint mailing list]
- have your PGP key signed by at least one (but ideally more than one) Debian Developers
- have at least one (but preferably more) Debian Developers advocate you. This is usually a signed mail to debian-newmaint (often a reply to your declaration mail)
submit a bug report with a jetring changeset to the bug tracking system, filed against the [http://packages.qa.debian.org/debian-maintainers debian-maintainers package]. Use only URLs from debian.org for the agreement and advocates fields of the jetring changeset
- there will be a delay of four days after the bug report has been submitted to wait in case of objections or any more advocacies from Debian Developers
Development and Announcement mailing lists
Maintainers must subscribe to the [http://lists.debian.org/debian-devel-announce/ debian-devel-announce] mailing list and are highly encouraged to subscribe to the [http://lists.debian.org/debian-devel/ debian-devel] mailing list.
Once you have your key in the debian-maintainers keyring, you will be able to upload packages, where the following conditions hold:
the package already lists you in the Maintainer or the Uploaders control fields
the package already has the DM-Upload-Allowed: yes control field
the package is not [:NewQueue:NEW]
Until recently dpkg did not understand the DM-Upload-Allowed field and would not add it to the DSC. You need to either have dpkg version >= 1.14.16 (you should use the most up to date tool versions anyway ;-)) or prefix it with 'XS-' for it to make it into the DSC file.
The debian-maintainers keyring is updated with a new version of the [http://packages.qa.debian.org/debian-maintainers debian-maintainers package]. Its keys are not kept in sync with the keyservers. All changes to the debian-maintainers keyring are done with jetring changesets.
Maintainers must reconfirm their interest annually to keep their keys in the debian-maintainers keyring by filing a signed bug report against the [http://packages.qa.debian.org/debian-maintainers debian-maintainers package].
File a signed bug report with a jetring changeset against the [http://packages.qa.debian.org/debian-maintainers debian-maintainers package] to replace/update an existing key or remove a key from the debian-maintainers keyring. If you are replacing a key with an entirely new key (rather than just updating the expiry date or subkeys) you should read the following rules (taken from the [http://keyring.debian.org/replacing_keys.html rules for key replacement in the debian-developers keyring]).
Rules for key replacement in the Debian Maintainers keyring
These are the rules governing what happens if a Debian Maintainer (Alice) wishes to replace her existing key (X) in the debian-maintainer keyring with an entirely new key (Y).
- Key Y must be signed by an active Debian Developer (Bob) whose key is in the debian-developers keyring.
Alice files a signed bug report with a jetring changeset to the bug tracking system against the [http://packages.qa.debian.org/debian-maintainers debian-maintainers package].
- Alice must get a Debian Developer (ideally not Bob) to sign a message requesting the replacement of key X with key Y on behalf of Alice. That statement should contain the key fingerprints of both keys X and Y and must be posted as a follow up to the bug report filed by Alice.
- If the reason for replacement is 'key X is compromised or no longer valid' then the request for replacement must be accompanied by a revocation certificate for key X.
- If the reason for the replacement is 'key X was lost' then a revocation certificate should be provided if possible.
- If the reason is 'I wanted a new key' then the new key must be strictly more secure than the old key and 'reasonably' connected where 'reasonably' is left up to the debian-maintainers keyring administrator and varies depending on the circumstances of the Debian Maintainer in question.
- Anything else is at the debian-maintainers keyring administrator's discretion and, in general, arbitrary key replacements without good cause will be rejected.
http://www.debian.org/vote/2007/vote_003 - GR and details of procedure
http://packages.debian.org/debian-maintainers - keyring package
http://git.debian.org/?p=d-m/debian-maintainers.git;a=summary - git repo summary
http://bugs.debian.org/debian-maintainers - pending keyring change requests
http://lists.debian.org/debian-newmaint - list which typically has the proclamation and advocacy mails posted to it
http://lists.debian.org/debian-project - list which has the DM announcements
http://keyring.debian.org/replacing_keys.html - rules for key replacement in the debian-developers keyring
http://ftp-master.debian.org/dm-uploaders.html - core raw information about DM
#debian-maintainer at irc.debian.org
see DebianWiki/LicencingTerms for info about wiki content copyright.