Hi, So, even small teams more closely related to bureaucracy and
bookkeeping such as ours also deserve to send out some “bits from…”
mails from time to time. And being past midnight, I hope I can keep
this concise and short. For people that were present at my lightning
talk at DebConf, expect no new material in this mail… We just needed
to send it out.
1. PGP (v3) keys are gone!
The first point is that, with a lot of patience and chasing, and after
over a year of having stated the intention, we can finally say that
older, vulnerable v3 keys are gone from the Debian Developer keyring,
yay! Thanks in no small measure to Jonathan’s endless bugging and
chasing, all keys in Debian today are v4 1024D or higher, and that is
a Very Good Thing. And yes, it leads us to the next point…
2. We want stronger keys
1024D (SHA1) keys are OK-ish for now. No attacks are known on them,
and they are not compromising the archive in any way (if they were, of
course, we would immediately disable them and _then_ look for
solutions, while surely becoming overnight the most hated team in
Debian). Still, to be on the safe side (and to avoid the long and
painful declining curve we had with v3 keys), we are now clearly
pushing Debian towards adopting stronger RSA keys – We have accepted
some 2048R keys, but if you don’t have a real reason to keep your key
at that size (i.e. you very often build on underpowered machines where
a 4096R key takes forever, or something like that), we really prefer
to go with 4096R keys.
To create your 4096R key, you are advised to follow Ana Guerrero’s
excellent tutorial .
The policies for a key upgrade go as follows (and are explained at
greater length at ):
- Your new key should be signed by your old key
- Your new key should be signed by two or more other Debian Developers
- Mail the key replacement request to firstname.lastname@example.org,
mentioning ‘Debian RT’ somewhere in the mail subject
- The request should be _inline_ signed by your old key. If you send a
MIME-encoded signed message, RT will mangle it and it won’t
validate. Please, inline-sign the message.
- Although we clearly want to transition to a stronger keyring, that
does not mean we want to loosen the Web of Trust. That means that if
you have a gazillion signatures in your 1024D key, you should not
rush to update it with a barely-signed 4096R one. Get it signed by
as many people as possible. If you are already socially active in
Debian, that should pose no problem. Otherwise… Well, if you are
isolated and far from anybody else, we might do it. But remember,
there is no _pressing_ need to do so.
3. We demand stronger keys!
But then again, we are not allowing any new 1024D keys
anymore. Anybody who is currently a DD or DM, or that has started his
application towards becoming one, will be allowed with whatever key
they currently have – But effective October 1st, no applications for
DM or DD should be processed with anything less than a 2048R
Ok, so, I’m looking forward to process your key update requests!
On behalf of keyring-maint,