“UbuntuHelp:UnsignedGpgKey”的版本间的差异
来自Ubuntu中文
小 (新页面: {{From|https://help.ubuntu.com/community/UnsignedGpgKey}} {{Languages|UbuntuHelp:UnsignedGpgKey}} == Handling Unsigned GPG Keys == === Background === Ubuntu Maintainers (including MOTU ...) |
小 |
||
| 第2行: | 第2行: | ||
{{Languages|UbuntuHelp:UnsignedGpgKey}} | {{Languages|UbuntuHelp:UnsignedGpgKey}} | ||
== Handling Unsigned GPG Keys == | == Handling Unsigned GPG Keys == | ||
| − | |||
=== Background === | === Background === | ||
| − | |||
Ubuntu Maintainers (including MOTU (Masters of the [[UbuntuHelp:AddingRepositoriesHowto|Universe]])) are required to have a GPG key in | Ubuntu Maintainers (including MOTU (Masters of the [[UbuntuHelp:AddingRepositoriesHowto|Universe]])) are required to have a GPG key in | ||
order to sign and upload their packages. Before being allowed to | order to sign and upload their packages. Before being allowed to | ||
| 第14行: | 第12行: | ||
from bad guys who might pose as an Ubuntu developer to upload a | from bad guys who might pose as an Ubuntu developer to upload a | ||
trojaned or otherwise nasty package. | trojaned or otherwise nasty package. | ||
| − | |||
=== The Problem === | === The Problem === | ||
| − | |||
Some people interested in helping with Ubuntu have keys that have not | Some people interested in helping with Ubuntu have keys that have not | ||
been signed or keys that are not signed by another key in the strongly | been signed or keys that are not signed by another key in the strongly | ||
| 第22行: | 第18行: | ||
from you back to someone that the Ubuntu community already trusts, | from you back to someone that the Ubuntu community already trusts, | ||
your upload access will be delayed. | your upload access will be delayed. | ||
| − | |||
=== Solution #1 === | === Solution #1 === | ||
| − | |||
The absolutely ideal solution is to have your key signed in person by someone | The absolutely ideal solution is to have your key signed in person by someone | ||
else in the global strongly connected set. | else in the global strongly connected set. | ||
| − | |||
[http://biglumber.com/] has a searchable database of GPG users by | [http://biglumber.com/] has a searchable database of GPG users by | ||
location. If you can find someone in your area, confirm with a | location. If you can find someone in your area, confirm with a | ||
| 第33行: | 第26行: | ||
Ubuntu resources, and then you can politely ask that person to exchange | Ubuntu resources, and then you can politely ask that person to exchange | ||
keys. | keys. | ||
| − | |||
Another list: | Another list: | ||
* http://nm.debian.org/gpg_offer.php | * http://nm.debian.org/gpg_offer.php | ||
| − | |||
When you meet to do a keysigning you will need to bring the output of | When you meet to do a keysigning you will need to bring the output of | ||
'gpg --fingerprint [email protected]' printed on paper, as well as | 'gpg --fingerprint [email protected]' printed on paper, as well as | ||
a government issue photo ID (passport or drivers license). | a government issue photo ID (passport or drivers license). | ||
| − | |||
To get an idea of goes on at a keysiging, read these guidelines (which | To get an idea of goes on at a keysiging, read these guidelines (which | ||
describe a full-blown party which is probably more complex than what | describe a full-blown party which is probably more complex than what | ||
you will do): http://mako.yukidoke.org/keys/keysign.txt | you will do): http://mako.yukidoke.org/keys/keysign.txt | ||
| − | |||
=== Solution #2 === | === Solution #2 === | ||
| − | |||
In situations where you absolutely cannot get a key signed by someone | In situations where you absolutely cannot get a key signed by someone | ||
else in the strongly connected set, you will need to demonstrate this | else in the strongly connected set, you will need to demonstrate this | ||
| 第52行: | 第40行: | ||
can convince them that it is impossible to get a signed key, you can | can convince them that it is impossible to get a signed key, you can | ||
have your identity verified differently. | have your identity verified differently. | ||
| − | |||
To do this, you should print a copy of the Ubuntu Code of Conduct, | To do this, you should print a copy of the Ubuntu Code of Conduct, | ||
followed by the output of 'gpg --fingerprint [email protected]'. | followed by the output of 'gpg --fingerprint [email protected]'. | ||
| − | |||
Take this printout to your friendly local notary, and ask them to | Take this printout to your friendly local notary, and ask them to | ||
validate your signature on this document. This will require at least | validate your signature on this document. This will require at least | ||
2007年11月30日 (五) 22:01的版本
 |
点击翻译: |
English |
请不要直接编辑翻译本页,本页将定期与来源同步。 |
Handling Unsigned GPG Keys
Background
Ubuntu Maintainers (including MOTU (Masters of the Universe)) are required to have a GPG key in order to sign and upload their packages. Before being allowed to upload, your GPG key must be verified by acquiring a signature from at least one other GPG user who have met in real life and have confirmed your identity. This person must be part of large group of people called the strongly connected set through which other Ubuntu developers are also all connected. This protects Ubuntu and its users from bad guys who might pose as an Ubuntu developer to upload a trojaned or otherwise nasty package.
The Problem
Some people interested in helping with Ubuntu have keys that have not been signed or keys that are not signed by another key in the strongly connected set. If it is hard to trace a series of signatures (i.e., connections) from you back to someone that the Ubuntu community already trusts, your upload access will be delayed.
Solution #1
The absolutely ideal solution is to have your key signed in person by someone else in the global strongly connected set. [1] has a searchable database of GPG users by location. If you can find someone in your area, confirm with a current Ubuntu member that their signature is acceptable for access to Ubuntu resources, and then you can politely ask that person to exchange keys. Another list:
When you meet to do a keysigning you will need to bring the output of 'gpg --fingerprint [email protected]' printed on paper, as well as a government issue photo ID (passport or drivers license). To get an idea of goes on at a keysiging, read these guidelines (which describe a full-blown party which is probably more complex than what you will do): http://mako.yukidoke.org/keys/keysign.txt
Solution #2
In situations where you absolutely cannot get a key signed by someone else in the strongly connected set, you will need to demonstrate this to members of the Ubuntu Community Council and Technical Board. If you can convince them that it is impossible to get a signed key, you can have your identity verified differently. To do this, you should print a copy of the Ubuntu Code of Conduct, followed by the output of 'gpg --fingerprint [email protected]'. Take this printout to your friendly local notary, and ask them to validate your signature on this document. This will require at least one form of government issued ID (passport or drivers license). You will then need to snail mail this document - the address will be made available to approved maintainers who are confirmed to require this method by members of the Community Council or Technical Board.
