README for debian-keyring package.

Originally written by Lars Wirzenius, liw@iki.fi, it was then updated
by Igor Grobman <igor@debian.org>. It is now maintained by James Troup
<james@nocrew.org>

Introduction

	The Debian project wants developers to digitally sign the
	announcements of their packages with PGP, to protect against
	forgeries.  I maintain a PGP keyring with keys of Debian
	developers.  This is the README for that keyring.

Getting the Debian keyrings

	The current version of the debian keyrings are always
	available on your nearest debian mirror in
	debian/doc/debian-keyring.tar.gz

	That file contains the PGP and GnuPG keyrings, a PGP signed
	copy of the keyring md5sums and this README.  The keyring
	md5sums will be signed by James Troup.
	
	The keyrings are also available as a Debian package
	`debian-keyring' which can be found in the contrib section of
	the ftp site.

Generate a key pair

	PGP is used for security, and security can be a bit tricky.
	Please read the PGP manual (in /usr/doc/pgp on Debian) before
	generating a key pair. The actual generation is
	trivial. Please use at least 1024 bits.
	
	(It's a key pair, because PGP uses public key cryptography.
	One of the keys is private, one is public. This is all
	explained in the manuals.)
	
	If your copy of PGP doesn't automatically sign your own key,
	please do it yourself (pgp -ks). This prevents others from
	tampering with the username in the key.
	
	If you already have a PGP key pair, it's OK to use it, but
	it's also OK to generate a new key pair specifically for
	Debian.

Copy your public key to a text file

	When you have a key pair, copy the public key from your
	personal key ring into a file called foo.asc with the
	following command:
	
		pgp -kxa 'your name' foo.asc
	
	where 'your name' is the username you gave to PGP when
	generating your key.
	
	foo.asc is a text file, you can view it with any editor.  Do
	NOT modify it, or it will break.
	
Upload your key to PGP key servers

	Upload the foo.asc file to the PGP key servers, to make
	it easy for anyone to get your public key. The URL is:
	
		http://www.pgp.net/pgpnet/
	
	There are many PGP key servers, but they're linked to each
	other, and it should be enough to upload your key to just one
	server.

Exchange key signatures with other people

	If possible, meet other Debian developers in person and sign
	each other's keys. Geographical and economical challenges
	often make this impossible, but if you can do it, please
	do. Signing keys means verifying that the key and the username
	belong together. The signatures can allow other people to
	trust the key. (This is the "web of trust" stuff the PGP
	manual explains about.)
	
	Also exchange key signatures with many other PGP users.  It
	all helps to expand and strengthen the PGP web of trust.
	
	When your key is signed, the signatures are added to the
	key. You need to upload your key again to the key servers to
	make those signatures available for other people.

Getting your key into debian-keyring.pgp

	If you are an old debian developer who hasn't uploaded your
	packages for a long time, and your key is not in the keyring,
	send a mail to keyring-maint@debian.org explaining the
	situation, and including your public pgp key.

	All new maintainers should apply to new-maintainer@debian.org,
	and your key will be added to the keyring as part of the
	admission process.

Updating your key

	If your key has been updated, you should send your updated key
	to keyring-maint@debian.org.
