[back] [Copyright Notice] [Contents] [next]

Debian Developer's Reference - Chapter 2
Applying to Become a Maintainer


2.1 Getting started

So, you've read all the documentation, you understand what everything in the hello example package is for, and you're about to Debianize your favourite piece of software. How do you actually become a Debian developer so that your work can be incorporated into the Project?

Firstly, subscribe to debian-devel@lists.debian.org if you haven't already. Send the word subscribe in the Subject of an email to debian-devel-REQUEST@lists.debian.org. In case of problems, contact the list administrator at listmaster@lists.debian.org. More information on available mailing lists can be found in Mailing lists, section 4.1.

You should subscribe and lurk for a bit before doing any coding, and you should post about your intentions to work on something to avoid duplicated effort.

Another good list to subscribe to is debian-mentors@lists.debian.org. See Debian Mentors, section 2.3 for details. The IRC channel #debian on the Linux People IRC network (i.e., irc.debian.org) can also be helpful.


2.2 Registering as a Debian developer

Before you decide to register with the Debian Project, you will need to read the Debian Social Contract. Registering as a developer means that you agree with and pledge to uphold the Debian Social Contract; it is very important that maintainers are in accord with the essential ideas behind Debian GNU/Linux. Reading the GNU Manifesto would also be a good idea.

The process of registering as a developer is a process of verifying your identity and intentions. As the number of people working on Debian GNU/Linux has grown to over 400 people and our systems are used in several very important places we have to be careful about being compromised. Therefore, we need to verify new maintainers before we can give them accounts on our servers and letting them upload packages.

Registration requires that the following information be sent to new-maintainer@debian.org as part of the registration application:

If you do not have a PGP key yet, generate one. Every developer needs a PGP key in order to sign and verify package uploads. You should read the PGP manual, since it has much important information which is critical to its security. Many more security failures are due to human error than to software failure or high-powered spy techniques.

Our standard is to use pgp version 2.x. You can use pgp version 5, if and only if you make an RSA key. Note that we are also working with the gpg team so that we can have a free alternative to PGP; however, this may take a little bit of time.

Your PGP key must be at least 1024 bits long. There is no reason to use a smaller key, and doing so would be much less secure. Your key must be signed with at least your own user ID. This prevents user ID tampering. You can do it by executing pgp -ks your_userid.

If your PGP key isn't on public key servers such as pgp5.ai.mit.edu, please read the documentation available locally /usr/doc/pgp/keyserv.doc. That document contains instructions on how to put your key on the public key servers. The New Maintainer Group will put your public key on the servers if it isn't already there.

Due to export restrictions by the United States government some Debian packages, including PGP, have been moved to an ftp site outside of the United States. You can find the current locations of those packages on ftp.debian.org or ftp.us.debian.org in the /pub/debian/README.non-US file.

Some countries restrict the use of cryptographic software by their citizens. This need not impede one's activities as a Debian package maintainer however, as it may be perfectly legal to use cryptographic products for authentication, rather than encryption purposes (as is the case in France). The Debian Project does not require the use of cryptography qua cryptography in any manner. If you live in a country where use of cryptography even for authentication is forbidden then please contact us so we can make special arrangements.

Once you have all your information ready, and your public key is available on public key servers, send a message to new-maintainer@debian.org to register as an offical Debian developer so that you will be able to upload your packages. This message must contain all the information discussed above. The message must also contain your PGP or RSA public key (extracted using pgp -kxa in the case of PGP) for the database of keys which is distributed from ftp.debian.org in /pub/debian/doc/debian-keyring.tar.gz, or the debian-keyring package. Please be sure to sign your request message with your chosen public key.

Once this information is received and processed, you should be contacted with information about your new Debian maintainer account. If you don't hear anything within 7-14 days, please send a followup message asking if your original application was received. Do not re-send your original application, that will just confuse the new-maintainer team. Please be patient, especially near release points; mistakes do occasionally happen, and people do sometimes run out of volunteer time.


2.3 Debian Mentors

A mailing list called debian-mentors@lists.debian.org which has been set up for novice maintainers who seek help with initial packaging and other developer-related issues. Every new developer is invited to subscribe to that list (see Mailing lists, section 4.1 for details).

Those who prefer one-on-one help (e.g., via private email) should also post to that list and an experienced developer will volunteer to help.


[back] [Copyright Notice] [Contents] [next]
Debian Developer's Reference
ver. 2.6.0, 11 February, 1999
Adam Di Carlo, current maintainer aph@debian.org
Christian Schwarz schwarz@debian.org
Ian Jackson ijackson@gnu.ai.mit.edu