Good afternoon,

I am not sure, this is the right forum and the right question at all, but
I'll assume it is, and take my chances - if it turns out to be a wrong assumption, I do apologise in advance. ;)

I bumped into a piece of software I needed on my server(s) and I figured
I'd rather package it up instead of compiling it in place to avoid having a complier installed. Coincidentally it's been on the ITP/RFP list for ages,
so I figured if I jump through all the hoops and learn how to create .deb packages, I might as well be a nice person and get it all the way into
Debian.

The package builds fine locally using pbuilder for several architectures. I
do believe all the other niceties are included (man page, etc.). I am at
the stage where it says: "sign and upload the package to mentors.debian.org
".

I thought, I'll create a separate subkey for signing the package (and keep
my master key off-line, and the others keys separate from this debian-signing-subkey). Would that be considered good practice? Or is there something I can't see here?

Regards,
Daniel

<div dir="ltr"><div>Good afternoon,</div><div><br></div><div>I am not sure, this is the right forum and the right question at all, but I&#39;ll assume it is, and take my chances - if it turns out to be a wrong assumption, I do apologise in advance. ;)</

<div><br></div><div>I bumped into a piece of software I needed on my server(s) and I figured I&#39;d rather package it up instead of compiling it in place to avoid having a complier installed. Coincidentally it&#39;s been on the ITP/RFP list for ages,

so I figured if I jump through all the hoops and learn how to create .deb packages, I might as well be a nice person and get it all the way into Debian.</div><div><br></div><div>The package builds fine locally using pbuilder for several architectures. I
do believe all the other niceties are included (man page, etc.). I am at the stage where it says: &quot;sign and upload the package to <a href="http://mentors.debian.org">mentors.debian.org</a>&quot;.</div><div><br></div><div>I thought, I&#39;ll create a
separate subkey for signing the package (and keep my master key off-line, and the others keys separate from this debian-signing-subkey). Would that be considered good practice? Or is there something I can&#39;t see here?</div><div><br></div><div>Regards,<
/div><div>Daniel<br></div></div>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Dániel Fancsali <[email protected]> wrote on 24/06/2022 at 18:40:03+0200:

Good afternoon,

I am not sure, this is the right forum and the right question at all,
but I'll assume it is, and take my chances - if it turns out to be a
wrong assumption, I do apologise in advance. ;)

I bumped into a piece of software I needed on my server(s) and I
figured I'd rather package it up instead of compiling it in place to
avoid having a complier installed. Coincidentally it's been on the
ITP/RFP list for ages, so I figured if I jump through all the hoops
and learn how to create .deb packages, I might as well be a nice
person and get it all the way into Debian.

The package builds fine locally using pbuilder for several
architectures. I do believe all the other niceties are included (man
page, etc.). I am at the stage where it says: "sign and upload the
package to mentors.debian.org".

I thought, I'll create a separate subkey for signing the package (and
keep my master key off-line, and the others keys separate from this debian-signing-subkey). Would that be considered good practice? Or is
there something I can't see here?

It'd be perfectly fine to do so. Just make sure this new subkey gets
known to mentors.d.o.

The procedure to export one subkey is tedious, if you need help, just
poke.

--
PEB

--=-=-Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQJDBAEBCgAtFiEE5CQeth7uIW7ehIz87iFbn7jEWwsFAmK2FIsPHHBlYkBkZWJp YW4ub3JnAAoJEO4hW5+4xFsLDV0P/269jIZ0p99/ELL7E/GkYR6oyI9GNzbZF+DP 8Yl25099BCx3nsYY3l5XV0NVimjPTtsc/wL/pcg8Mf0E3cjRSalaMW3yWkd+SnHv WEAZF9mFfPY5SO5lakHDUopJNjHcQomfbMFUxTzKRyyz27cRcUW8XOxhgWbQ+Ywm x3bKdID4Wgth7ONuxR8kCBgO5RBylMxGxPylZ4zQ9rtKsUYNXJ3SFKHmPUOTM9iy x6Vk/wk0tiK9sdJGIdnotrYfmrGcQqRQMsuvtxSivudT6MYF1JutG+G3LZ9L6Q2n 9qSnQufleClKpOlvz8UI2BK6Zm0RyLH5XtmxEldNFA3p4oG4ndUVqyPRxSGXSTAx K/0gjcv3WksG2z0Hl+c/mMbWHkzCuMhZQu9FtMS7x1AfiE2jiRqPd8acRHsndxFu WfbTpKlsztW46zks0KO2XLH8uF9orlkXvxWtyhKecfkR8XdiO7ri4wus60NZUsYz FldhRnes8+k8C+mPOkpj4oR0GYB681VbpuV5Tyf0O18mKVK0dRffA2gJSTmhGXXl DPQR4t7oAwiFD/sxzWh0eAXsfBL0YKHxZGiSqHXOukr7RxMvE4EuMFAYR3DF3TIq 8VNNNlIO2+iWE2KtSLnJiCM8ek+JwvpGIRuwz2bWaJo72ItPcYz56OnzhhTGBPgJ
TampApZo
=qQTJ
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2022-06-24 18:40, Dániel Fancsali wrote:

I thought, I'll create a separate subkey for signing the package (and
keep my master key off-line, and the others keys separate from this debian-signing-subkey). Would that be considered good practice? Or is
there something I can't see here?

This is done quite commonly, actually. [1] and [2] have more info.

Best,
Christian

[1] https://wiki.debian.org/GnuPG/AirgappedMasterKey

[2] https://wiki.debian.org/Subkeys

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Good morning,

Thanks for you replies, gents.

Makes sense.

One last thing, I am not sure of: do I upload my master key's public part
or the signing key's one to my mentors account?

Regards,
Daniel

On Fri, 24 Jun 2022 at 20:42, Christian Kastner <[email protected]> wrote:

On 2022-06-24 18:40, Dániel Fancsali wrote:

I thought, I'll create a separate subkey for signing the package (and
keep my master key off-line, and the others keys separate from this debian-signing-subkey). Would that be considered good practice? Or is
there something I can't see here?

This is done quite commonly, actually. [1] and [2] have more info.

Best,
Christian

[1] https://wiki.debian.org/GnuPG/AirgappedMasterKey

[2] https://wiki.debian.org/Subkeys

<div dir="ltr"><div>Good morning,</div><div><br></div><div>Thanks for you replies, gents.</div><div><br></div><div>Makes sense.</div><div><br></div><div>One last thing, I am not sure of: do I upload my master key&#39;s public part or the signing key&#39;
s one to my mentors account?</div><div><br></div><div>Regards,</div><div>Daniel<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, 24 Jun 2022 at 20:42, Christian Kastner &lt;<a href="mailto:[email protected]">ckk@debian.
org</a>&gt; wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 2022-06-24 18:40, Dániel Fancsali wrote:<br>
&gt; I thought, I&#39;ll create a separate subkey for signing the package (and<br>
&gt; keep my master key off-line, and the others keys separate from this<br> &gt; debian-signing-subkey). Would that be considered good practice? Or is<br> &gt; there something I can&#39;t see here?<br>

This is done quite commonly, actually. [1] and [2] have more info.<br>

Best,<br>
Christian<br>

[1] <a href="https://wiki.debian.org/GnuPG/AirgappedMasterKey" rel="noreferrer" target="_blank">https://wiki.debian.org/GnuPG/AirgappedMasterKey</a><br>

[2] <a href="https://wiki.debian.org/Subkeys" rel="noreferrer" target="_blank">https://wiki.debian.org/Subkeys</a><br>

</blockquote></div>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

El 27/06/22 a las 10:40, D�niel Fancsali escribi�:

Good morning,

Thanks for you replies, gents.

Makes sense.

One last thing, I am not sure of: do I upload my master key's public part
or the signing key's one to my mentors account?

From https://mentors.debian.net/intro-maintainers/:

" How to upload packages to mentors.debian.net

You need to use dput to upload packages. We accept your uploads through
HTTPS or FTP. All packages must be signed (using debsign) with the GnuPG
key you configured in your control panel. "

Cheers,

-- S

Regards,
Daniel

On Fri, 24 Jun 2022 at 20:42, Christian Kastner <[email protected]> wrote:

On 2022-06-24 18:40, D�niel Fancsali wrote:

I thought, I'll create a separate subkey for signing the package (and keep my master key off-line, and the others keys separate from this debian-signing-subkey). Would that be considered good practice? Or is there something I can't see here?

This is done quite commonly, actually. [1] and [2] have more info.

Best,
Christian

[1] https://wiki.debian.org/GnuPG/AirgappedMasterKey

[2] https://wiki.debian.org/Subkeys

-----BEGIN PGP SIGNATURE-----

iHUEABYIAB0WIQRZVjztY8b+Ty43oH1itBCJKh26HQUCYrmdtgAKCRBitBCJKh26 HbkaAP44sBTCR9meo3eFIromaKITb/vo3oohgTwkPBKIhMPi3QD9EC4BTpxkIsSE X7962ISL/f3nIWHLSdllpOD4Snpssgc=
=Z6z4
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,
On Mon, Jun 27, 2022 at 10:40:17AM +0000, D�niel Fancsali wrote:

Good morning,

Thanks for you replies, gents.

Makes sense.

One last thing, I am not sure of: do I upload my master key's public part
or the signing key's one to my mentors account?

I think that uploading for signing key's pubkey is ok.
Even you can use the same subkey on multi pc.

--
Best Regards,


-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEIcmhjYVTlmab0tjp+RVP3hQ+S68FAmK5xBwACgkQ+RVP3hQ+ S6+nBxAAsGp2OwacBpGJHd/e77vBMMUHC47vS3UsedHeaY9D5lpEYvFcp+fq2Mmj Icy40mFd1rIkhZsa2uRTPmfVeGpjSZpQxdWLGUiWUeCC+lBrlMAllhj27Pjd3cY9 cwNvRrH7WsyDLBus5nUc+/PrGTNL0GiWXMUsC/vYdI0+Rc51BpKezdPYFEbzreQ0 cP6r89Or24mg3EOuIKnKIkzS5Y3DHOaEg7N6BC26M3aw3ry/IjVnpJzqGZzNCUrR 6x5CtMyORPRPCyJkX8wHSe76RPLAjIZtQ5UldGeERUVG/Cal3vL/4QOTVzu6mAD0 JN4B+vqXuTlBOEO/3SpeIegmA2bCFti8t+QlWL2TEW7iWUqJN2tHIP5jviBcsbeM pbiXP7QVvVptXE4N/KIAT3lOcuUSPF6I6lBzOQFg31ZNm2G5ee2q7Q/itGZnKNeg rzvrLiF4N/lpryb5K2ssHQDMSmVTjB6vFO7rrts6KLEjw8e1nw6/O4vBjrousKS+ q86AIJ4JfFU25EVzDrb3LWWMXvrCdiJB5Ktxw9nDhWGXkI/+GC9h4SLWMwTZlJkv +7j0OQASuwZBThKlhl48g6vLZtKU8dTWTNf0xO6W10KKIWTDDJatQOpQ+iR+7Y98 55IHUtcBFLF92N7ycJczx7cjNN7uFN1V9zIxeXIBwjf9ynIGtfA=
=19BY
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)