This should probably be an official FAQ, but a) I wanted to rant a bit more than is probably acceptable for something “official” and b) the sort of person this information is directed at never bloody reads keyring.debian.org, which is the logical place for it.

Who are keyring-maint?

Currently Gunnar Wolf (good cop) and Jonathan McDowell (bad cop). Previous keyring maintainers include Igor Grobman & James Troup.

I’d like to be a DM/DD. Do I send you my key?

No. You go through the DebianMaintainer or NM processes. Then the DM team or DAM tell us to add your key to the appropriate keyring.

I’d like to replace my DM/DD key in the Debian keyring. What should I do?

Read the instructions at http://keyring.debian.org/replacing_keys.html

I have a new key that isn’t signed by anyone else, will you accept it?

No. Did you read http://keyring.debian.org/replacing_keys.html ?

I’ve got a single DD signature on my new key. That’s enough, right?

Not unless your old key has been lost and you’re getting a different DD to request the replacement for you (and if they’re prepared to ask for a key replacement we’ll wonder why they’re not prepared to sign the new key too).

Did you read http://keyring.debian.org/replacing_keys.html ?

I’m still really confused about how I should request a key replacement. Help?

Try reading https://rt.debian.org/Ticket/Display.html?id=3141 (which just happens to be a recent decent example). Clear subject line (I’d have added a real name too, but it’s still fairly clear), full fingerprint of the old and new keys, inline signed so RT doesn’t mangle it. New key signed by old key and 3 other DDs. Request signed by old key.

That RT link needs a login. I don’t have one.

Have you tried reading up on the Debian RT system? There’s a generic read only login that’ll get you access.

That’s too hard. Can’t you just give me the details?

Damnit. It appears the read-only login details are currently disabled due to misuse (one wonders how). Try reading http://wiki.debian.org/rt.debian.org

Why are you using RT? Isn’t bugs.debian.org more appropriate?

We need the ability to for people to contact us is in a private fashion, for example if they need to us to remove a key because it’s been lost or compromised. We could only use RT for that purpose and use bugs.d.o for things that can be public, but this way all the information is in one place and we get to make the call about when it becomes a publicly viewable ticket.

What’s with jetring? Should I send you a jetring changeset?

jetring is a tool written by Joey Hess that used to be used to manage the Debian Maintainers keyring. keyring-maint borrowed a number of good ideas from jetring but don’t use it at all. We ignore jetring changesets.

So you just want key fingerprints, not attached keys?

Yes. Of course you have to make sure your key is actually on a public keyserver so we can get it. the.earth.li is a good choice (because Jonathan runs it and thus pays more attention to it), but subkeys.pgp.net or pool.sks-keyservers.net are also commonly used.

My key has expired and I want to update the key expiry date. I should email RT asking for this to be done, right?

No, you should send the updated key via HKP to keyring.debian.org. You can do this with

“gpg –keyserver keyring.debian.org –send-key "

Obviously replace with your own key ID.

I tried to send an entirely new key via HKP to keyring.debian.org, but I can’t see it there. What gives?

keyring.debian.org only accepts updates to keys it already knows about. That means you can send updated expiry dates, new uids and new signatures to your existing key, but not an entirely new key.

I sent my updated key via HKP to keyring.debian.org and can see it’s updated there, but the Debian archive processing tools (eg dak) don’t seem to recognize the update. Why not?

The updates sent via HKP are folded back into the HKP server automatically every 15 minutes or so. They are folded into the live Debian keyrings on a manual basis, at least once a month.

This means if your key has an expiry date then you probably want to update your key at least a month before it expires.

Where can I find these live Debian keyrings?

They’re what’s available via rsync from keyring.debian.org::keyrings/keyrings/

This is canonical location for the current Debian Developers and Debian Maintainers keyrings.

What about the debian-keyring package?

This is a convenience package of the keyrings. It’s usually the most out of date. We update it sporadically and try to ensure that the version shipped with a stable Debian release is current at the point of release. It is not used by any of the official Debian infrastructure.

Why don’t you automatically update my key in the live keyring when I send an update via HKP?

We think that automatic updates of keys that allow uploads to Debian are a bad thing and that invoking a human eye at some step of the process is a useful sanity check.

Paranoid much?

Never enough.

How are updates to the keyring tracked?

We use bzr to maintain the keyring, with a separate file per key that can then be easily combined into the various keyrings. You can see the repository at:

http://bzr.debian.org/scm/loggerhead/keyring/debian-keyring/changes

Note that this is only updated when a keyring is pushed to live; the working tree may contain details of compromised keys and thus isn’t public.

What’s with the whole replacement of 1024 bit keys?

2 things. Firstly 1024 bit keys tend to use SHA1 as a hash algorithm, which has been shown to be weaker than expected. While we’re not aware of active exploits against this updating all of the keys Debian uses is not a trivial process and it’s wiser to get it done /before/ there’s a known issue. Secondly computing power has moved on and we feel that upgrading to larger key sizes is prudent.

Elliptic curve cryptography (ECC) keys look like the future. Can I use one for Debian?

No, not at present. When there are tools that are part of a Debian stable release that support them we’ll look into it, after discussion with the major users of the keyring (DSA, ftpmaster, the secretary).

I’m sad to report that I won’t be attending DebConf11. I’d have loved to go, but unfortunately I couldn’t get the time off work due to various schedule conflicts. I’ll have to find another excuse to make it to Bosnia at some point.

I don’t normally mention the PGP keyserver I’ve been working on for the past 9 years, but there are a few keyserver related comments I’ve been meaning to make that prompt me to do so this time.

onak is the keyserver powering the.earth.li (AKA wwwkeys.uk.pgp.net). Back in February I finally enabled hkps (HKP over SSL) access to it as I promised dkg I would do back at DebConf10. I also turned on IPv6.

Most of the active keyservers out there are running SKS. I think there might be a few OpenPKSD instances as well. If you’re running SKS please ensure that you have at least one address in your mailsync file, so that you send key updates to the non SKS keyservers out there - it seems that SKS requires the receiving keyserver to send out updates via email, rather than each server sending out any updates it processes to its mailsync peers. Feel free to add pgp-public-keys at earth.li - no need to contact me to do so (but you can drop me a line if you want me to send you mail updates back).

Also in the past there was a pgp-keyserver-folk mailing list, originally on flame.org, then on alt.org. Both of these have been dead for a while. I created a local pgp-keyserver-folk some time ago, but never publicised it. I believe the SKS lists are fairly active, but limited to that community, so it would be nice to have somewhere that was keyserver agnostic that admins could talk to each other.

Anyway. onak 0.4.0. Largely fixes to keyd, which is a backend daemon that handles talking to the key database. This is particularly useful for large/busy keyservers. Also a couple of fixes that make the db4 backend a lot more reliable (especially with queries that return lots of results). And various other minor cleanups. If you’re one of the 3 people running it you probably want to upgrade; updated packages have already been uploaded to Debian unstable.

(This is part of a series of posts on Why Linux?)

This is probably a non-obvious reason to run Linux to most people. One of the complaints I’ve heard in the past is the lack of support for Linux. It’s not really relevant to running it on a work desktop (where support is presumably from some central IT organisation), but I believe it’s a red herring. Support in the Free software world can exceed that in the proprietary by an impressive margin. And that can turn out to be useful at work, even if you do suppose the existence of central IT.

The support I’ve received for Linux and applications under it has been, on numerous occasions, excellent in a way I feel I could never expect from the commercial software world. And when it isn’t, I have the choice of whomever I want to try and fix my problems, rather than being stuck with no options.

I have found that if I am polite, and provide useful information, and patient, I can talk directly to the developers who make the software I use. If I have a patch they will often take it from me, or use it as a basis for the final fix. If they are no longer available, or too busy, then because I have the source I can find someone else to look at the problem, or do so myself.

The chances of most large proprietary software companies giving me the time of day is low. I don’t understand why small businesses think that Windows is a safer choice due to being able to get support from Microsoft.

Again using experience gained at Black Cat, at one point we had a problem with IPv6 routes being updated. Signs pointed to Quagga, Simon collected relevant information and got in contact with the Quagga devs. They investigated, realised it wasn’t a problem with their code, and then proceeded to find the issue in the Linux kernel, produce the fix and pass it upstream. Within hours of us reporting the problem. I’ll accept that’s an exceptional response that can be matched within the proprietary software world, but not without a hefty support contract and I doubt you would have got a response other than “Not our fault, talk to the other supplier”, or maybe a workaround at best.

More recently, I had a conversation about Linux and discard support, with one of the people who’d worked on it. Very interesting from my PoV, useful to my work (I ended up fixing something in our code base that led to the Linux support Just Working with our product) and I believe was useful to that developer too, in terms of providing some insight to the other side of the problem. I don’t get that kind of access to proprietary software developers - while it could be argued that I know a lot of Free software people, I also know a lot of other programmers and they’re just not able to be so open about things, so both sides lose out.

Or my new laptop’s ethernet wasn’t supported by the kernel in squeeze. I filed a bug requesting the driver be added (and pointing to the patch). The week I wrote the first draft of this article I saw confirmation that this had been done, and will be part of the final squeeze release. I think that’s pretty impressive. (Thanks, Ben.)

It’s my birthday, so a week ago I bought myself a present:

The office is 4.5 miles from the BART station, so up until now I’ve been taking a bus. Unfortunately the timings aren’t that frequent (every 45-60 minutes). Plus I haven’t been doing any exercise since I moved out here. Now it seems to be getting drier I figured it was time to sort out a bike. I wanted something flexible, and have heard nothing but good things from the Brompton owners I know, so that’s what I ended up with. I’m very happy with it; despite my lack of recent exercise it’s pretty easy to ride. I’ve actually found it doesn’t take any longer than taking the bus, and is sometimes quicker, because I avoid having all of the waiting around for it.

I bought it from Warm Planet Bikes, who were incredibly helpful. They had a selection in store that they let me try (and quite a few other models of folding bikes too) and when I made my decision it turned out they could do the customizations I wanted in shop. So rather than me having to order it and wait a month I was able to cycle away that same evening! Full marks to Matt for staying late to sort me out (plus he’s a Brompton owner too).