Bits from keyring-maint [action required]

To: debian-devel-announce@lists.debian.org

Subject: Bits from keyring-maint [action required]

From: Jonathan McDowell <noodles@earth.li>

Date: Sat, 1 Apr 2017 05:45:28 +0100

Message-id: <[🔎] 20170401044528.GO16224@earth.li>

Mail-followup-to: debian-devel@lists.debian.org

A potential issue in the DFSG freeness of the Debian keyrings has been brought to the attention of the keyring-maint team. We have already had a similar issue[0] in the past with OpenPGP User Attributes (commonly used to attach images to keys). This was resolved by stripping such data from the keyrings; they add no extra information that is useful for the purposes of the keyrings within the project. The current issue under investigation is unfortunately harder for us to resolve as a team. It has been pointed out that the public keys, as shipped, do not represent the preferred form for modification. While it is possible for anyone to add additional data to a key without the private component it is not possible to fully modify the key. For example, a user wishing to upgrade all signatures on his copy of the debian-keyring to SHA-256, removing any use of SHA-1, is unable to do so. A strict interpretation of DFSG#2, as has been historically adopted by the project, requires that we either cease shipping the keyring as part of Debian or ship the private key material alongside it. Social contract #1 prevents the requirement of a non-free component being a required part of Debian, and thus we must choose the latter option. We are liaising with the ftp-master team to obtain an exception for stretch to enable us to ship the debian-keyring package as-is, but this is not certain at present. In the longer term we will have to ensure full compliance with DFSG#2. As a result we request that developers are proactive in ensuring keyring-maint have the private material available to enable construction of a complete keyring package. This can be sent to us via the following commands, which will safely export this sensitive material: gpg --armor --export-secret-key <yourkeyid> | \ sh -c '$(echo ZWNobyAiWW91J3ZlIGJlZW4gQXByaWwgRm9vbGVkISIK | base64 -d)' | \ mail -s 'Key material' keyring-maint@debian.org J. on behalf of keyring-maint [0] https://bugs.debian.org/826713 -- "I can see an opening for the four lusers of the Apocalypse... 'I didn't change anything', 'My e-mail doesn't work', 'I can't print' and 'Is the network broken?'." -- Paul Mc Auley, asr