Search

Search this site:

Status of the Debian OpenPGP keyring — November update

Almost two months ago I posted our keyring status graphs, showing the progress of the transition to >=2048-bit keys for the different active Debian keyrings. So, here are the new figures.

First, the Non-uploading keyring: We were already 100% transitioned. You will only notice a numerical increase: That little bump at the right is our dear friend Tássia finally joining as a Debian Developer. Welcome! \o/

As for the Maintainers keyring: We can see a sharp increase in 4096-bit keys. Four 1024-bit DM keys were migrated to 4096R, but we did have eight new DMs coming in To them, also, welcome \o/.

Sadly, we had to remove a 1024-bit key, as Peter Miller sadly passed away. So, in a 234-key universe, 12 new 4096R keys is a large bump!

Finally, our current-greatest worry — If for nothing else, for the size of the beast: The active Debian Developers keyring. We currently have 983 keys in this keyring, so it takes considerably more effort to change it.

But we have managed to push it noticeably.

This last upload saw a great deal of movement. We received only one new DD (but hey — welcome nonetheless! \o/ ). 13 DD keys were retired; as one of the maintainers of the keyring, of course this makes me sad — but then again, in most cases it’s rather an acknowledgement of fact: Those keys’ holders often state they had long not been really involved in the project, and the decision to retire was in fact timely. But the greatest bulk of movement was the key replacements: A massive 62 1024D keys were replaced with stronger ones. And, yes, the graph changed quite abruptly:

We still have a bit over one month to go for our cutoff line, where we will retire all 1024D keys. It is important to say we will not retire the affected accounts, mark them as MIA, nor anything like that. If you are a DD and only have a 1024D key, you will still be a DD, but you will be technically unable to do work directly. You can still upload your packages or send announcements to regulated mailing lists via sponsor requests (although you will be unable to vote).

Speaking of votes: We have often said that we believe the bulk of the short keys belong to people not really active in the project anymore. Not all of them, sure, but a big proportion. We just had a big, controversial GR vote with one of the highest voter turnouts in Debian’s history. I checked the GR’s tally sheet, and the results are interesting: Please excuse my ugly bash, but I’m posting this so you can play with similar runs on different votes and points in time using the public keyring Git repository:

$ git checkout 2014.10.10 $ for KEY in $( for i in $( grep '^V:' tally.txt | awk '{print "<" $3 ">"}' ) do grep $i keyids|cut -f 1 -d ' ' done ) do if [ -f debian-keyring-gpg/$KEY -o -f debian-nonupload-gpg/$KEY ] then gpg --keyring /dev/null --keyring debian-keyring-gpg/$KEY \ --keyring debian-nonupload-gpg/$KEY --with-colons \ --list-key $KEY 2>/dev/null \ | head -2 |tail -1 | cut -f 3 -d : fi done | sort | uniq -c 95 1024 13 2048 1 3072 371 4096 2 8192

So, as of mid-October: 387 out of the 482 votes (80.3%) were cast by developers with >=2048-bit keys, and 95 (19.7%) were cast by short keys.

If we were to run the same vote with the new active keyring, 417 votes would have been cast with >=2048-bit keys (87.2%), and 61 with short keys (12.8%). We would have four less votes, as they retired:

61 1024 14 2048 2 3072 399 4096 2 8192

So, lets hear it for November/December. How much can we push down that pesky yellow line?

Disclaimer: Any inaccuracy due to bugs in my code is completely my fault!

Attachments

line_by_length_for_keyring.png (275 KB)

line_by_length_for_maintainers.png (301 KB)

line_by_length_for_nonupload.png (208 KB)

Categories