I’m at DebConf 12 and I’ve decided to use my time to clear out some minor bits and pieces I’ve been planning for a while. One of these was to do some graphing of the Debian keyrings over time. The bzr repository goes back to March 2008, but I’ve also got copies of keyrings for releases back to slink (February 1999). I’ve been a long time user of GD::Graph under Perl, but recently discovered SVG::TT::Graph and have been meaning to play with it. So I did. First up, number of keys in each keyring:
Most of the interesting data is towards the right, but we can also see the point where our v4 keyring overtook v3 keys back in 2001. More recently there’s the end of our v3 support in 2010, and the steady increase of Debian Maintainers. The tiny green line is the Debian non-upload keyring.
Next I looked at key size (limiting myself to the DDv4 keyring to make things simpler):
Here we can see the steady increase of 4096 bit keys since 2009, and to a lesser extent 2048 bit keys. There are a few other sizes - 1 10k key, 1 8k key and 2 3k keys (I suspect these are tied to OpenPGPv2 cards). We’re up to 28% of the keyring being stronger keys, but there’s still a long way to go. (Interestingly the Debian Maintainer keyring is much better with 65% of keys being 2k or larger. The non-upload keyring is all 2k or greater.)
Finally I graphed key type, again limiting myself to the DDv4 keyring:
No real surprises here; DSA far and away the most common with RSA usage increasing as part of the move to larger key sizes. In the past we had a few Elgamal signing keys, but these were shown to be compromised thus disappeared entirely.
What do these graphs show me? At least the following:
- Debian has a steady rate of growth, for both DDs and DMs. As Zack mentioned in his keynote yesterday it would be nice to see more non-packaging contributors.
- We’ve made a noticeable effort towards transitioning to stronger keys, but there’s still a lot of people who need to make the switch.
- Our rate of growth has slowed over the years (not really surprising).
(You should be able to click on the graphs for larger version.)