Jump to content
Compatible Support Forums
Sign in to follow this  
Followers 0
news

Bits from keyring-maint [action required]

By news, in Upcoming News

Recommended Posts

news    28

news
Posted

A potential issue in the DFSG freeness of the Debian keyrings has been

brought to the attention of the keyring-maint team. We have already had

a similar issue[0] in the past with OpenPGP User Attributes (commonly

used to attach images to keys). This was resolved by stripping such data

from the keyrings; they add no extra information that is useful for the

purposes of the keyrings within the project.

 

The current issue under investigation is unfortunately harder for us to

resolve as a team. It has been pointed out that the public keys, as

shipped, do not represent the preferred form for modification. While it

is possible for anyone to add additional data to a key without the

private component it is not possible to fully modify the key. For

example, a user wishing to upgrade all signatures on his copy of the

debian-keyring to SHA-256, removing any use of SHA-1, is unable to do

so.

 

A strict interpretation of DFSG#2, as has been historically adopted by

the project, requires that we either cease shipping the keyring as part

of Debian or ship the private key material alongside it. Social contract

#1 prevents the requirement of a non-free component being a required

part of Debian, and thus we must choose the latter option.

 

We are liaising with the ftp-master team to obtain an exception for

stretch to enable us to ship the debian-keyring package as-is, but this

is not certain at present. In the longer term we will have to ensure

full compliance with DFSG#2. As a result we request that developers are

proactive in ensuring keyring-maint have the private material available

to enable construction of a complete keyring package. This can be sent

to us via the following commands, which will safely export this

sensitive material:

 

gpg --armor --export-secret-key <yourkeyid> | \

sh -c '$(echo ZWNobyAiWW91J3ZlIGJlZW4gQXByaWwgRm9vbGVkISIK | base64 -d)' | \

mail -s 'Key material' keyring-maint ( -at -) debian.org

 

J.

on behalf of keyring-maint

 

[0] https://bugs.debian.org/826713

 

--

"I can see an opening for the four lusers of the Apocalypse... 'I

didn't change anything', 'My e-mail doesn't work', 'I can't print' and

'Is the network broken?'." -- Paul Mc Auley, asr

 

 

Share this post

Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  
Followers 0
Go To Topic Listing Upcoming News
×