Debian Developer's Reference
Chapter 2 - Applying to Become a Maintainer
2.1 Getting started
So, you've read all the documentation, you understand what everything in the
hello example package is for, and you're about to Debianize your
favourite piece of software. How do you actually become a Debian developer so
that your work can be incorporated into the Project?
When you know how you want to contribute to Debian GNU/Linux, you should get in
contact with existing Debian maintainers who are working on similar tasks.
That way, you can learn from experienced developers. For example, if you are
interested in packaging existing software for Debian you should try to get a
sponsor. A sponsor will work together with you on your package and upload it
to the Debian archive once he is happy with the packaging work you have done.
You can find a sponsor by mailing the email@example.com
mailing list, describing your package and yourself and asking for a sponsor
(see Sponsoring packages, Section
11.1 for more information on sponsoring). On the other hand, if you are
interested in porting Debian to alternative architectures or kernels you can
subscribe to port specific mailing lists and ask there how to get started.
Finally, if you are interested in documentation or Quality Assurance (QA) work
you can join maintainers already working on these tasks and submit patches and
2.2 Registering as a Debian developer
Before you decide to register with Debian GNU/Linux, you will need to read all
the information available at the New Maintainer's
Corner. It describes exactly the preparations you have to do before
you can register to become a Debian developer. For example, before you apply,
you have to to read the Debian Social Contract.
Registering as a developer means that you agree with and pledge to uphold the
Debian Social Contract; it is very important that maintainers are in accord
with the essential ideas behind Debian GNU/Linux. Reading the GNU Manifesto would
also be a good idea.
The process of registering as a developer is a process of verifying your
identity and intentions, and checking your technical skills. As the number of
people working on Debian GNU/Linux has grown to over 800 people and our systems
are used in several very important places we have to be careful about being
compromised. Therefore, we need to verify new maintainers before we can give
them accounts on our servers and let them upload packages.
Before you actually register you should have shown that you can do competent
work and will be a good contributor. You can show this by submitting patches
through the Bug Tracking System or having a package sponsored by an existing
maintainer for a while. Also, we expect that contributors are interested in
the whole project and not just in maintaining their own packages. If you can
help other maintainers by providing further information on a bug or even a
patch, then do so!
Registration requires that you are familiar with Debian's philosophy and
technical documentation. Furthermore, you need a GPG key which has been signed
by an existing Debian maintainer. If your GPG key is not signed yet, you
should try to meet a Debian maintainer in person to get your key signed.
There's a GPG Key Signing
Coordination page which should help you find a maintainer close to
you (If you cannot find a Debian maintainer close to you, there's an
alternative way to pass the ID check. You can send in a photo ID signed with
your GPG key. Having your GPG key signed is the preferred way, however. See
page for more information about these two options.)
If you do not have an OpenPGP key yet, generate one. Every developer needs a
OpenPGP key in order to sign and verify package uploads. You should read the
manual for the software you are using, since it has much important information
which is critical to its security. Many more security failures are due to
human error than to software failure or high-powered spy techniques. See Maintaining Your Public Key,
Section 3.2 for more information on maintaining your public key.
Debian uses the GNU Privacy Guard (package gnupg
version 1 or better) as its baseline standard. You can use some other
implementation of OpenPGP as well. Note that OpenPGP is a open standard based
on RFC 2440.
The recommended public key algorithm for use in Debian development work is the
DSA (sometimes call ``DSS'' or ``DH/ElGamal''). Other key types may be used
however. Your key length must be at least 1024 bits; there is no reason to use
a smaller key, and doing so would be much less secure. Your key must be signed
with at least your own user ID; this prevents user ID tampering.
gpg does this automatically.
If your public key isn't on public key servers such as
pgp5.ai.mit.edu, please read the documentation available locally
in /usr/share/doc/pgp/keyserv.doc. That document contains
instructions on how to put your key on the public key servers. The New
Maintainer Group will put your public key on the servers if it isn't already
Some countries restrict the use of cryptographic software by their citizens.
This need not impede one's activities as a Debian package maintainer however,
as it may be perfectly legal to use cryptographic products for authentication,
rather than encryption purposes (as is the case in France). Debian GNU/Linux
does not require the use of cryptography qua cryptography in any
manner. If you live in a country where use of cryptography even for
authentication is forbidden then please contact us so we can make special
To apply as a new maintainer, you need an existing Debian maintainer to verify
your application (an advocate). After you have contributed to Debian
for a while, and you want to apply to become a registered developer, an
existing developer with whom you have worked over the past months has to
express his belief that you can contribute to Debian successfully.
When you have found an advocate, have your GPG key signed and have already
contributed to Debian for a while, you're ready to apply. You can simply
register on our application
page. After you have signed up, your advocate has to confirm your
application. When your advocate has completed this step you will be assigned
an Application Manager who will go with you through the necessary steps of the
New Maintainer process. You can always check your status on the applications status board.
For more details, please consult New Maintainer's
Corner at the Debian web site. Make sure that you are familiar with
the necessary steps of the New Maintainer process before actually applying. If
you are well prepared, you can save a lot of timer later on.