Wednesday, 24 September 2025

PGP key recommendations for Ubuntu Development

Hi Ubuntu Developers of the past, the present, and the future!

For a while I'm working on an improvement to how Ubuntu
developers set up and handle their PGP keys. Without any
offense, up to now it mostly is an undocumented:
"Create a key, and somehow try to handle it safely".
But throughout the population of developers I've seen
various different interpretations of "safely" :-)

Most of those that take it rather seriously have settled on a setup
that utilizes hardware keys and I was collecting their input and
experience for a while. I think it is time to drive a public policy
about what we would recommend.

After some internal rounds with early adopters as well as internal
stakeholders on my draft, I've recently opened it up as a
public PR to the project docs [1] and already got quite good feedback
which is integrated by now. The intention is now to reach out
further, by pointing all of you to the PR [1].

[1]: https://github.com/ubuntu/ubuntu-project-docs/pull/182

P.S. I know there is more that can be done as subsequent steps in the future,
but I'm intentionally trying to not let future perfection be the
blocker of this helpful step today, like:

- Testing and documenting exact steps to do that setup. For that I'd
want to get an agreement on the policy first, then distribute such
keys among some of our folks and ensure we polish any rough edges by
using them the way the policy says.

- There are related aspects like the Launchpad API not yet having
such capabilities, we are pushing for that feature and we'd
adopt the policy here once available. I allude to that in the
presented PR, but until the capability exists I can't do much more.

- It is considered to one day make some of this mandatory, at least for
roles with highly elevated permissions or e.g. within Canonical. But for
that we need to have the policy and steps (above), the way to set up
and use it (known missing) and maybe even missing launchpad features
agreed and implemented.

...

P.P.S.
I've also called the TB, because to truly land this I think I eventually
need them to either say "Approved by TB" or "Debated, OK,
but does not need our deep review and approval".

--
Christian Ehrhardt
Director of Engineering, Ubuntu Server
Canonical Ltd

--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel

Posted by at