[ Please redirect this message to anyone who works with you as GNU Maintainer to help handle upload and releases of GNU software. ] To All GNU Maintainers: Paul Fisher, Karl Berry, and a host of others have implemented a new system to handle uploads of GNU software to ftp.gnu.org in a secure way. To begin this process, we need each GNU maintainer to send message, preferably GPG-signed, to that includes the following: (a) name of package(s) that you are the maintainer for, and your preferred email address. (b) an ASCII armored copy of your GnuPG key, as an attachment. ("gpg --export -a YOUR_KEY_ID > mykey.asc" should give you this.) (c) a list of names and (preferred) email addresses of individuals you authorize to make releases for which packages (in the case that you don't make all releases yourself), if any. (d) ASCII armored copies of GnuPG keys for any individuals listed in (c). We will acknowledge your message when we have added the proper GPG keys as authorized to upload files for their corresponding packages. Once you have received that acknowledgment, you will be able to do unattended uploads using the following procedure: For each upload destined for ftp.gnu.org or alpha.gnu.org, three files (a triplet) need to be uploaded via ftp to the site, ftp-upload.gnu.org. (1) File to distributed (eg. foo.tar.gz) (2) Detached GPG binary signature for (1) (using gpg -b) (eg. foo.tar.gz.sig) (3) Clearsigned "directive" file (using gpg --clearsign) (eg. foo.tar.gz.directive.asc) The triplet should be uploaded via anonymous ftp to ftp-upload.gnu.org. If the upload is destine for ftp.gnu.org, then the triplet should be places in the /incoming/ftp directory. If the upload is destine for alpha.gnu.org, then the triplet should be placed in the /incoming/alpha directory. Uploads are processed every five minutes. (BTW, uploads that are in progress when the upload processing script is running are handled properly, so do not worry about the timing of your upload.) The directive file should contain one line (excluding the clearsigned data GPG puts in place), which specifies the directory where items (1) and (2) shall be placed. For example, foo.tar.gz.directive might contain the single line: directory: bar/v1 This directory line indicates that foo.tar.gz and foo.tar.gz.sig are part of package "bar". If you were to upload the three files to /incoming/ftp, and the system can positively authenticate the signatures, then the files foo.tar.gz and foo.tar.gz.sig will be placed in the directory "gnu/bar/v1" off of the "ftp.gnu.org" site. The directive file can be used to create currently non-existent directory trees, as long as they are under the package directory for your package (in the example above, that is "bar"). Your designated upload email addresses (see (a) and (b) above) shall receive an email if there are any problems processing an upload for your package. If you have difficulties processing an upload, please write to . NOTE: We had previously asked you to write to address@hidden because of excessive amounts of spam (from SoBig) in our ftp-upload RT queue. As of today, that is NO LONGER NECESSARY, as a volunteer (thanks, Paul Visscher) kindly clear out that spam. Please resume using the ftp-upload address for ALL MATTERS related to ftp uploads. Finally, I want to thank each GNU maintainer for your patience during this process. I realize there is still some backlog of uploads and some md5sum files from pre-August-1 files that are queued for us. Now that we have this process in place, we will turn our attention to clearing out that backlog and hope to complete it soon. If you have questions about this process, please contact us at . Thanks again for your patience.