trunk/developers-reference/new-maintainer.dbk

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
    "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd" [
  <!ENTITY % commondata SYSTEM "common.ent" > %commondata;
]>
<chapter id="new-maintainer">
<title>Applying to Become a Maintainer</title>
<section id="getting-started">
<title>Getting started</title>
<para>
So, you've read all the documentation, you've gone through the <ulink
url="&url-newmaint-guide;">Debian New Maintainers'
Guide</ulink>, understand what everything in the <systemitem
role="package">hello</systemitem> example package is for, and you're about to
Debianize your favorite piece of software.  How do you actually become a Debian
developer so that your work can be incorporated into the Project?
</para>
<para>
Firstly, subscribe to &email-debian-devel; if you haven't
already.  Send the word <literal>subscribe</literal> in the
<literal>Subject</literal> of an email to
&email-debian-devel-req;.  In case of problems, contact the
list administrator at &email-listmaster;.  More information on
available mailing lists can be found in <xref linkend="mailing-lists"/>.
&email-debian-devel-announce; is another list which is
mandatory for anyone who wishes to follow Debian's development.
</para>
<para>
You should subscribe and lurk (that is, read without posting) for a bit before
doing any coding, and you should post about your intentions to work on
something to avoid duplicated effort.
</para>
<para>
Another good list to subscribe to is &email-debian-mentors;.
See <xref linkend="mentors"/> for details.  The IRC channel
<literal>#debian</literal> can also be helpful; see <xref
linkend="irc-channels"/>.
</para>
<para>
When you know how you want to contribute to &debian-formal;,
you should get in contact with existing Debian maintainers who are working on
similar tasks.  That way, you can learn from experienced developers.  For
example, if you are interested in packaging existing software for Debian, you
should try to get a sponsor.  A sponsor will work together with you on your
package and upload it to the Debian archive once they are happy with the
packaging work you have done.  You can find a sponsor by mailing the
&email-debian-mentors; mailing list, describing your package
and yourself and asking for a sponsor (see <xref linkend="sponsoring"/> and
<ulink url="&url-mentors;"></ulink> for more information on
sponsoring).  On the other hand, if you are interested in porting Debian to
alternative architectures or kernels you can subscribe to port specific mailing
lists and ask there how to get started.  Finally, if you are interested in
documentation or Quality Assurance (QA) work you can join maintainers already
working on these tasks and submit patches and improvements.
</para>
<para>
One pitfall could be a too-generic local part in your mailadress: Terms like
mail, admin, root, master should be avoided, please see <ulink
url="&url-debian-lists;"></ulink> for details.
</para>
</section>

<section id="mentors">
<title>Debian mentors and sponsors</title>
<para>
The mailing list &email-debian-mentors; has been set up for
novice maintainers who seek help with initial packaging and other
developer-related issues.  Every new developer is invited to subscribe to that
list (see <xref linkend="mailing-lists"/> for details).
</para>
<para>
Those who prefer one-on-one help (e.g., via private email) should also post to
that list and an experienced developer will volunteer to help.
</para>
<para>
In addition, if you have some packages ready for inclusion in Debian, but are
waiting for your new maintainer application to go through, you might be able
find a sponsor to upload your package for you.  Sponsors are people who are
official Debian Developers, and who are willing to criticize and upload your
packages for you. Please read the debian-mentors FAQ at <ulink
url="&url-mentors;"></ulink> first.
</para>
<para>
If you wish to be a mentor and/or sponsor, more information is available in
<xref linkend="newmaint"/>.
</para>
</section>

<section id="registering">
<title>Registering as a Debian developer</title>
<para>
Before you decide to register with &debian-formal;, you will
need to read all the information available at the <ulink
url="&url-newmaint;">New Maintainer's Corner</ulink>.  It
describes in detail the preparations you have to do before you can register to
become a Debian developer.  For example, before you apply, you have to read the
<ulink url="&url-social-contract;">Debian Social
Contract</ulink>.  Registering as a developer means that you agree with and
pledge to uphold the Debian Social Contract; it is very important that
maintainers are in accord with the essential ideas behind
&debian-formal;.  Reading the <ulink
url="&url-gnu-manifesto;">GNU Manifesto</ulink> would also be
a good idea.
</para>
<para>
The process of registering as a developer is a process of verifying your
identity and intentions, and checking your technical skills.  As the number of
people working on &debian-formal; has grown to over
&number-of-maintainers; and our systems are used in several
very important places, we have to be careful about being compromised.
Therefore, we need to verify new maintainers before we can give them accounts
on our servers and let them upload packages.
</para>
<para>
Before you actually register you should have shown that you can do competent
work and will be a good contributor.  You show this by submitting patches
through the Bug Tracking System and having a package sponsored by an existing
Debian Developer for a while.  Also, we expect that contributors are interested
in the whole project and not just in maintaining their own packages.  If you
can help other maintainers by providing further information on a bug or even a
patch, then do so!
</para>
<para>
Registration requires that you are familiar with Debian's philosophy and
technical documentation.  Furthermore, you need a GnuPG key which has been
signed by an existing Debian maintainer.  If your GnuPG key is not signed yet,
you should try to meet a Debian Developer in person to get your key signed.
There's a <ulink url="&url-gpg-coord;">GnuPG Key Signing
Coordination page</ulink> which should help you find a Debian Developer close
to you.  (If there is no Debian Developer close to you, alternative ways to
pass the ID check may be permitted as an absolute exception on a
case-by-case-basis.  See the <ulink
url="&url-newmaint-id;">identification page</ulink> for more
information.)
</para>
<para>
If you do not have an OpenPGP key yet, generate one.  Every developer needs an
OpenPGP key in order to sign and verify package uploads.  You should read the
manual for the software you are using, since it has much important information
which is critical to its security.  Many more security failures are due to
human error than to software failure or high-powered spy techniques.  See <xref
linkend="key-maint"/> for more information on maintaining your public key.
</para>
<para>
Debian uses the <literal>GNU Privacy Guard</literal> (package <systemitem
role="package">gnupg</systemitem> version 1 or better) as its baseline
standard.  You can use some other implementation of OpenPGP as well.  Note that
OpenPGP is an open standard based on <ulink
url="&url-rfc2440;">RFC 2440</ulink>.
</para>
<para>
You need a version 4 key for use in Debian Development. <ulink
url="http://lists.debian.org/20090520092534.GG22906@earth.li">Your key length must
be greater than 1024 bits</ulink>; there is no reason to use a smaller key, and doing so
would be much less secure.<footnote><para> Version 4 keys are keys conforming
to the OpenPGP standard as defined in RFC 2440.  Version 4 is the key type that
has always been created when using GnuPG.  PGP versions since 5.x also could
create v4 keys, the other choice having been pgp 2.6.x compatible v3 keys
(also called legacy RSA by PGP).  </para> <para> Version 4 (primary) keys can
either use the RSA or the DSA algorithms, so this has nothing to do with
GnuPG's question about which kind of key do you want: (1) DSA and Elgamal, (2)
DSA (sign only), (5) RSA (sign only).  If you don't have any special
requirements just pick the default.  </para> <para> The easiest way to tell
whether an existing key is a v4 key or a v3 (or v2) key is to look at the
fingerprint: Fingerprints of version 4 keys are the SHA-1 hash of some key
material, so they are 40 hex digits, usually grouped in blocks of 4.
Fingerprints of older key format versions used MD5 and are generally shown in
blocks of 2 hex digits.  For example if your fingerprint looks like
<literal>5B00 C96D 5D54 AEE1 206B  AF84 DE7A AF6E 94C0 9C7F</literal>
then it's a v4 key.  </para> <para> Another possibility is to pipe the key into
<command>pgpdump</command>, which will say something like Public Key Packet -
Ver 4.  </para> <para> Also note that your key must be self-signed (i.e.  it
has to sign all its own user IDs; this prevents user ID tampering).  All modern
OpenPGP software does that automatically, but if you have an older key you may
have to manually add those signatures.  </para> </footnote>
</para>
<para>
If your public key isn't on a public key server such as
&pgp-keyserv;, please read the documentation available at
<ulink url="&url-newmaint-id;">NM Step 2:
Identification</ulink>.  That document contains instructions on how to put your
key on the public key servers.  The New Maintainer Group will put your public
key on the servers if it isn't already there.
</para>
<para>
Some countries restrict the use of cryptographic software by their citizens.
This need not impede one's activities as a Debian package maintainer however,
as it may be perfectly legal to use cryptographic products for authentication,
rather than encryption purposes.  If you live in a country where use of
cryptography even for authentication is forbidden then please contact us so we
can make special arrangements.
</para>
<para>
To apply as a new maintainer, you need an existing Debian Developer to support
your application (an <literal>advocate</literal>).  After you have
contributed to Debian for a while, and you want to apply to become a registered
developer, an existing developer with whom you have worked over the past months
has to express their belief that you can contribute to Debian successfully.
</para>
<para>
When you have found an advocate, have your GnuPG key signed and have already
contributed to Debian for a while, you're ready to apply.  You can simply
register on our <ulink url="&url-newmaint-apply;">application
page</ulink>.  After you have signed up, your advocate has to confirm your
application.  When your advocate has completed this step you will be assigned
an Application Manager who will go with you through the necessary steps of the
New Maintainer process.  You can always check your status on the <ulink
url="&url-newmaint-db;">applications status board</ulink>.
</para>
<para>
For more details, please consult <ulink
url="&url-newmaint;">New Maintainer's Corner</ulink> at the
Debian web site.  Make sure that you are familiar with the necessary steps of
the New Maintainer process before actually applying.  If you are well prepared,
you can save a lot of time later on.
</para>
</section>

</chapter>

1	<?xml version="1.0" encoding="utf-8"?>
2	<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
3	"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd" [
4	<!ENTITY % commondata SYSTEM "common.ent" > %commondata;
5	]>
6	<chapter id="new-maintainer">
7	<title>Applying to Become a Maintainer</title>
8	<section id="getting-started">
9	<title>Getting started</title>
10	<para>
11	So, you've read all the documentation, you've gone through the <ulink
12	url="&url-newmaint-guide;">Debian New Maintainers'
13	Guide</ulink>, understand what everything in the <systemitem
14	role="package">hello</systemitem> example package is for, and you're about to
15	Debianize your favorite piece of software. How do you actually become a Debian
16	developer so that your work can be incorporated into the Project?
17	</para>
18	<para>
19	Firstly, subscribe to &email-debian-devel; if you haven't
20	already. Send the word <literal>subscribe</literal> in the
21	<literal>Subject</literal> of an email to
22	&email-debian-devel-req;. In case of problems, contact the
23	list administrator at &email-listmaster;. More information on
24	available mailing lists can be found in <xref linkend="mailing-lists"/>.
25	&email-debian-devel-announce; is another list which is
26	mandatory for anyone who wishes to follow Debian's development.
27	</para>
28	<para>
29	You should subscribe and lurk (that is, read without posting) for a bit before
30	doing any coding, and you should post about your intentions to work on
31	something to avoid duplicated effort.
32	</para>
33	<para>
34	Another good list to subscribe to is &email-debian-mentors;.
35	See <xref linkend="mentors"/> for details. The IRC channel
36	<literal>#debian</literal> can also be helpful; see <xref
37	linkend="irc-channels"/>.
38	</para>
39	<para>
40	When you know how you want to contribute to &debian-formal;,
41	you should get in contact with existing Debian maintainers who are working on
42	similar tasks. That way, you can learn from experienced developers. For
43	example, if you are interested in packaging existing software for Debian, you
44	should try to get a sponsor. A sponsor will work together with you on your
45	package and upload it to the Debian archive once they are happy with the
46	packaging work you have done. You can find a sponsor by mailing the
47	&email-debian-mentors; mailing list, describing your package
48	and yourself and asking for a sponsor (see <xref linkend="sponsoring"/> and
49	<ulink url="&url-mentors;"></ulink> for more information on
50	sponsoring). On the other hand, if you are interested in porting Debian to
51	alternative architectures or kernels you can subscribe to port specific mailing
52	lists and ask there how to get started. Finally, if you are interested in
53	documentation or Quality Assurance (QA) work you can join maintainers already
54	working on these tasks and submit patches and improvements.
55	</para>
56	<para>
57	One pitfall could be a too-generic local part in your mailadress: Terms like
58	mail, admin, root, master should be avoided, please see <ulink
59	url="&url-debian-lists;"></ulink> for details.
60	</para>
61	</section>
62
63	<section id="mentors">
64	<title>Debian mentors and sponsors</title>
65	<para>
66	The mailing list &email-debian-mentors; has been set up for
67	novice maintainers who seek help with initial packaging and other
68	developer-related issues. Every new developer is invited to subscribe to that
69	list (see <xref linkend="mailing-lists"/> for details).
70	</para>
71	<para>
72	Those who prefer one-on-one help (e.g., via private email) should also post to
73	that list and an experienced developer will volunteer to help.
74	</para>
75	<para>
76	In addition, if you have some packages ready for inclusion in Debian, but are
77	waiting for your new maintainer application to go through, you might be able
78	find a sponsor to upload your package for you. Sponsors are people who are
79	official Debian Developers, and who are willing to criticize and upload your
80	packages for you. Please read the debian-mentors FAQ at <ulink
81	url="&url-mentors;"></ulink> first.
82	</para>
83	<para>
84	If you wish to be a mentor and/or sponsor, more information is available in
85	<xref linkend="newmaint"/>.
86	</para>
87	</section>
88
89	<section id="registering">
90	<title>Registering as a Debian developer</title>
91	<para>
92	Before you decide to register with &debian-formal;, you will
93	need to read all the information available at the <ulink
94	url="&url-newmaint;">New Maintainer's Corner</ulink>. It
95	describes in detail the preparations you have to do before you can register to
96	become a Debian developer. For example, before you apply, you have to read the
97	<ulink url="&url-social-contract;">Debian Social
98	Contract</ulink>. Registering as a developer means that you agree with and
99	pledge to uphold the Debian Social Contract; it is very important that
100	maintainers are in accord with the essential ideas behind
101	&debian-formal;. Reading the <ulink
102	url="&url-gnu-manifesto;">GNU Manifesto</ulink> would also be
103	a good idea.
104	</para>
105	<para>
106	The process of registering as a developer is a process of verifying your
107	identity and intentions, and checking your technical skills. As the number of
108	people working on &debian-formal; has grown to over
109	&number-of-maintainers; and our systems are used in several
110	very important places, we have to be careful about being compromised.
111	Therefore, we need to verify new maintainers before we can give them accounts
112	on our servers and let them upload packages.
113	</para>
114	<para>
115	Before you actually register you should have shown that you can do competent
116	work and will be a good contributor. You show this by submitting patches
117	through the Bug Tracking System and having a package sponsored by an existing
118	Debian Developer for a while. Also, we expect that contributors are interested
119	in the whole project and not just in maintaining their own packages. If you
120	can help other maintainers by providing further information on a bug or even a
121	patch, then do so!
122	</para>
123	<para>
124	Registration requires that you are familiar with Debian's philosophy and
125	technical documentation. Furthermore, you need a GnuPG key which has been
126	signed by an existing Debian maintainer. If your GnuPG key is not signed yet,
127	you should try to meet a Debian Developer in person to get your key signed.
128	There's a <ulink url="&url-gpg-coord;">GnuPG Key Signing
129	Coordination page</ulink> which should help you find a Debian Developer close
130	to you. (If there is no Debian Developer close to you, alternative ways to
131	pass the ID check may be permitted as an absolute exception on a
132	case-by-case-basis. See the <ulink
133	url="&url-newmaint-id;">identification page</ulink> for more
134	information.)
135	</para>
136	<para>
137	If you do not have an OpenPGP key yet, generate one. Every developer needs an
138	OpenPGP key in order to sign and verify package uploads. You should read the
139	manual for the software you are using, since it has much important information
140	which is critical to its security. Many more security failures are due to
141	human error than to software failure or high-powered spy techniques. See <xref
142	linkend="key-maint"/> for more information on maintaining your public key.
143	</para>
144	<para>
145	Debian uses the <literal>GNU Privacy Guard</literal> (package <systemitem
146	role="package">gnupg</systemitem> version 1 or better) as its baseline
147	standard. You can use some other implementation of OpenPGP as well. Note that
148	OpenPGP is an open standard based on <ulink
149	url="&url-rfc2440;">RFC 2440</ulink>.
150	</para>
151	<para>
152	You need a version 4 key for use in Debian Development. <ulink
153	url="http://lists.debian.org/20090520092534.GG22906@earth.li">Your key length must
154	be greater than 1024 bits</ulink>; there is no reason to use a smaller key, and doing so
155	would be much less secure.<footnote><para> Version 4 keys are keys conforming
156	to the OpenPGP standard as defined in RFC 2440. Version 4 is the key type that
157	has always been created when using GnuPG. PGP versions since 5.x also could
158	create v4 keys, the other choice having been pgp 2.6.x compatible v3 keys
159	(also called legacy RSA by PGP). </para> <para> Version 4 (primary) keys can
160	either use the RSA or the DSA algorithms, so this has nothing to do with
161	GnuPG's question about which kind of key do you want: (1) DSA and Elgamal, (2)
162	DSA (sign only), (5) RSA (sign only). If you don't have any special
163	requirements just pick the default. </para> <para> The easiest way to tell
164	whether an existing key is a v4 key or a v3 (or v2) key is to look at the
165	fingerprint: Fingerprints of version 4 keys are the SHA-1 hash of some key
166	material, so they are 40 hex digits, usually grouped in blocks of 4.
167	Fingerprints of older key format versions used MD5 and are generally shown in
168	blocks of 2 hex digits. For example if your fingerprint looks like
169	<literal>5B00 C96D 5D54 AEE1 206B AF84 DE7A AF6E 94C0 9C7F</literal>
170	then it's a v4 key. </para> <para> Another possibility is to pipe the key into
171	<command>pgpdump</command>, which will say something like Public Key Packet -
172	Ver 4. </para> <para> Also note that your key must be self-signed (i.e. it
173	has to sign all its own user IDs; this prevents user ID tampering). All modern
174	OpenPGP software does that automatically, but if you have an older key you may
175	have to manually add those signatures. </para> </footnote>
176	</para>
177	<para>
178	If your public key isn't on a public key server such as
179	&pgp-keyserv;, please read the documentation available at
180	<ulink url="&url-newmaint-id;">NM Step 2:
181	Identification</ulink>. That document contains instructions on how to put your
182	key on the public key servers. The New Maintainer Group will put your public
183	key on the servers if it isn't already there.
184	</para>
185	<para>
186	Some countries restrict the use of cryptographic software by their citizens.
187	This need not impede one's activities as a Debian package maintainer however,
188	as it may be perfectly legal to use cryptographic products for authentication,
189	rather than encryption purposes. If you live in a country where use of
190	cryptography even for authentication is forbidden then please contact us so we
191	can make special arrangements.
192	</para>
193	<para>
194	To apply as a new maintainer, you need an existing Debian Developer to support
195	your application (an <literal>advocate</literal>). After you have
196	contributed to Debian for a while, and you want to apply to become a registered
197	developer, an existing developer with whom you have worked over the past months
198	has to express their belief that you can contribute to Debian successfully.
199	</para>
200	<para>
201	When you have found an advocate, have your GnuPG key signed and have already
202	contributed to Debian for a while, you're ready to apply. You can simply
203	register on our <ulink url="&url-newmaint-apply;">application
204	page</ulink>. After you have signed up, your advocate has to confirm your
205	application. When your advocate has completed this step you will be assigned
206	an Application Manager who will go with you through the necessary steps of the
207	New Maintainer process. You can always check your status on the <ulink
208	url="&url-newmaint-db;">applications status board</ulink>.
209	</para>
210	<para>
211	For more details, please consult <ulink
212	url="&url-newmaint;">New Maintainer's Corner</ulink> at the
213	Debian web site. Make sure that you are familiar with the necessary steps of
214	the New Maintainer process before actually applying. If you are well prepared,
215	you can save a lot of time later on.
216	</para>
217	</section>
218
219	</chapter>
220