Debian meeting in Madrid, GPG keysigning

Yesterday some Debian people in Madrid we met to have a drink together and GPG keysigning.I have received 2 signs already #oleole! :)Some minutes ago, I signed all the keys and sent the corresponding emails. Since I have to dedicate some minutes to verify fingerprints and emails, I have dedicated some time to remember each person too: his face, the topics that we talked about, etc.  (we were 8 people!).
It’s been nice to meet Debian people in person, in Madrid (it was the first time I attended). I like to speak Spanish in a Debian context (and different than the translators mailing list), it’s kind of funny, relaxing. It has been also an opportunity to meet new people that can be very different from me, and so, open my mind to new thoughts.

I hope we meet more often so we strengthen not only the web of trust but also the face-to-face social network :)

Posted in Uncategorized | Tagged , , , , ,

Translating (reviewing) Debian package descriptions

Some days I feel super lazy but I still would like to go on contributing translations to Debian.
Then, I leave the web translations a bit, and change to translate or review Debian package descriptions.

It’s something that anybody can do without any knowledge of translation tools, since it is a very simple web interface, as you will see.

First you need to create a login account, then, login into the system.

And then, go to the page of your mother language (in my case, Spanish, “es”). You will see some introductory text, and the list of pending translations:
At the end of the page, there is the list of translations pending to review:

We should begin with this, so the work that other people already made arrives quickly its destination. And it’s the easiest part, as you will see. Let’s pick one of them (libvformat1-dev):

You see the short description in the original English, and the current translation (if there were changes from a former version, they are coloured too).

I didn’t know what the package libvformat1-dev does, but here’s a nice opportunity to learn aobut it a bit :)

The short description looks ok for me. Let’s go on to the long description:


It also looks correct for me. So I leave the text box as is, and go on until the bottom of the page:
and click “Accept as is”. That’s all!!

The system brings you back to the page with pending translations and reviews. Let’s pick another one: totem
I found a typo and corrected some other words, so I updated the text in the translation box, left a message to the other translators in the comment box, and clicked “Accept with changes”.

And… iterate.

When 3 translators agree in a translation, it becomes official, and its propagated to apt-cache, aptitude, synaptic, etc., and the website ( This is the most difficult part (to get 3 reviews for each package description):  many language teams are small, and their workforce is spread in many fronts: translations for the website, news and announcements, debconf templates (the messages that are shown to the user when a package is installed), the Debian installer, the documentation, the package descriptions… So your help (even when you only review some translations from time to time) will be appreciated, for sure.

Posted in Tools | Tagged , , ,

I’ve applied to be a (non uploading) Debian Developer

I’ve just applied to be a (non uploading) Debian Developer. I’ve just filled in the form, and decrypted the message that I received to confirm my application (I had read the important documents long time ago, and again, some weeks ago, and again, some days ago).

I was expecting today to gather some GPG signs, but the event was cancelled (postponed). So beginning next week, I’ll try to gather GPG signs one by one, by myself.

Outdated translations of the website are finished (no more yellow stickers in the Spanish!), and I already began with the translation of new files.

I’ve sent mails to say thank you to some of the people that helped me during this phase of Debian Contributor.

I think I’ve done everything that I can do for now. So let’s wait.

I don’t know how will I sleep tonight.


You can comment in this thread.

Posted in My experiences and opinion | Tagged , , , , , , ,

10 short steps to contribute translations to free software for Android

This small guide assumes that you know how to create a public repository with git (or other version control system). Maybe some projects use other VCS, Subversion or whatever; the process would be similar although the commands will be different of course.

If you don’t want to use any VCS, you can just download the corresponding file, translate it, and send it by email or to the BTS of the project, but the commands required are very easy and you’ll see soon that using git (or any VCS) is quite comfortable and less scary than what it seems.

So, you were going to recommend a nice app that you use or found in F-Droid to your friend, but she does not understand English. Why not translating the app for her? And for everybody? It’s a job that can be done in 15 minutes or so (Android apps have very short strings, few menus, and so). Let’s go!

1.- Search the app in the F-Droid website

You can do it going to the URL:


Then, open the details of the app, and learn where’s the source code.

2.- Clone the source code

If you have an account in that forge, fork/clone the project into your account, and then, clone your fork/clone in local.

If you haven’t got an account in that forge, clone the project in local.

git clone URLofTheProjectOrYourClone

3.- In local, create a new branch, and checkout to it.

cd nameofrepo

git checkout -b Spanish

4.- Then, copy the “/res/values” folder into “res/values-XX” folder (where XX is your language code)

cp ./res/values /res/values-es -R

5.- Translate

Edit the “strings.xml” file that is in the “res/values-XX” folder, and change the English strings to your language (respect the XML format).

6.- Translate other files, or delete them

If there are more files in that folder (e.g. “arrays.xml”), review them to know if they have “translatable” strings. If yes, translate them. If not, delete the files.

7.- Commit

When you are finished, commit your changes:

git add res/values-es/*

git commit -a

(Message can be “Spanish translation” or so)

8.- Push your changes to your public repo

If you didn’t create a public clone of the repo in your forge, create a public repo and push your local stuff into there.

git push --all

9.- Request a merge to the original repo

(Using the web interface of the forge, if it is the same for the original repo and your clone, or sending an email or creating an issue and providing the URL of your repo). For example, open a new issue in the project’s BTS

Title: Spanish translation available for merging

Body: Hi everybody.

Thanks for your work in "nameofapp".

I have completed a Spanish translation, it's available for review/merge in the Spanish branch of my repo:


Best regards

10.- Congratulations!

Translations are new features, and having a new feature in your app for free is a great thing, so probably the app developer(s) will merge your translation soon.

Share your joy with your friends, so they begin to use the app you translated, and maybe become translators too!


You can comment on this post in this thread.

Posted in Tools, Writings (translations) | Tagged , , , , ,

Happy Software Freedom Day!

Today we celebrate the day of free software (each year, a saturday around mid-September) More info at

There are no public events in Madrid, but I’m going to try to hack and write a bit more this weekend, as my personal celebration.

In this blog post you can find some of my very very recent activities on free software, and my plans for this weekend of celebration!


Children distros aka Derivatives

I had the translation/update of the page pending since long time. It’s a long page, and I was not sure what was better: if picking up the too-outdated last translation, and review it carefully in order to update it, or starting from scratch. I decided to reuse the last translation (thanks Luis Uribe!) and after some days dedicating my commuting time on it, finally, yesterday evening I finished it at home. Now it’s in the review queue, and I hope in 10 days or so it will be uploaded.

In the meantime, I have learned a bit about the Debian Derivatives subproject and  census, I have watched the Derivatives Panel at DebConf13, and had a look at the bug #723069 about keeping the children-distros page up to date.

So now that I’m liberated about this translation, I’m going to put some time in keeping up to date the original English page (I’m part of the www and publicity team, so I think it makes sense). My goal is to review at least one Debian derivative each two days, and when I finish the list, start again. I can update the wiki myself, and for the www, I’ll send patches against #723069, unless I’m told to do it other way.

BTW, wouldn’t be nice to mark web/wiki pages as “RFH” the same as packages?, so other people can easily decide to put some time on them, and make even more awesome! Or make them appear in the how-can-i-help reminders :)  Mmm maybe it’s just a matter of filing a bug and tagging it as “gift”? I think no, because nobody has the package “” installed in their system… I’ll talk with the maintainer about this.

New Member process

I promised myself to try to work a bit more in Debian during the summer and September, and if everything goes well, try to apply to the new member process in October.

I wanted to read all the documentation first, and one challenge is to review/update the translations of folder. This way, both myself and the Spanish speaking community benefit from the effort. Yesterday I translated one of those pending pages and I hope during the weekend I can translate/update the rest. When I finish that, I’ll keep reading the other documentation.


This summer I was invited to join the DebConf15 organization team and pick up tasks in the publicity area. I was very happy to join, I’m not sure at all that I can go to DebConf15 in Heidelberg (Germany), in fact I’m quite sure I will not go since mid-August is the only opportunity to visit family who lives far away, but anyway, there are things that we can do before DebConf15 and I can contribute.

For now, I attended last Monday to the meeting at IRC, and I’m finishing a short blogpost about the DebConf14 talk presenting DebConf15, that will be published in the DebConf15 blog.

Android, F-Droid

I keep on trying to spread the word about F-Droid and the free software available for Android, last week some of my friends updated Kontalk to the 3.0.b1 version (I had updated at the beginning of September) and they liked that now, the images are sent encrypted as well as the text messages :)

Some friends also liked the 2048 game, since it can be played offline, without ads, and so.

I decided to spend some time this weekend contributing translations to the Android apps that I use.

A long pending issue is to try to put workforce in the F-Droid project itself so apps descriptions are internationalized (the program is fully translatable, but the categories of apps and the descriptions themselves, are not). This is a complicated issue, it requires to take some design decisions, and later, of course, the implementation. I cannot do it alone, and I cannot do it in the short time. But today I have filed a bug report (#35) so maybe I find other people able to help.

Jabber/XMPP and the “RedesLibres” chatroom

Since several months I’ve been using more often my Jabber/XMPP account to join the chatroom

I meet there some people that I follow in (for example, the people that write in the Comunícate Libremente or Lignux blogs) and we talk about, free software, free services, and other things. I feel very comfortable there, it’s nice to have a Spanish speaking group inside the Free Software community, and I’m also learning a bit about XMPP (I’ve tried a lot of desktop and Android clients, just for fun!), free networks, and so.

So today I wanted to publicly thank you everybody in that chatroom, that welcomed me so well :)

Thank you, free software friends

And, by extension, I want to thank you all the people that work and have fun in the Free Software communities, in the projects where I contribute or others. They (we) hack to make the world better, and to allow others join to this beautiful challenge that is making machines do what their (final) users wants.


You can comment on this post in this thread.

Posted in My experiences and opinion | Tagged , , , , , , , , , , , ,

Disabling comments in the blog

I’m getting more spam than the amount that I can stand in this blog. Comments are moderated, so the public is not suffering that, only me. From time to time I go to my dashboard and clean the spam. I’m afraid that I delete some legit comment in these spam-cleaning-fevers, or, more probably, that a legit comment waits in the queue for several days (weeks?), just because I’m lazy to deal with spam and let days pass by (until the fever comes).

I think I’m going to follow the wisdom of Bradley M. Kuhn and link to a note for comments on my blog posts (disabling them here in I usually post a notice when I write something in my blog, so the only task is to update the blog post with the URL of the thread for comments.

While allows to write comments quickly, without need of an account (you write just a name and an email, and the comment), in pump you need to have an account and sign in to comment. That looks as a bad thing, a barrier for people to participate. But of course, it stops spam :)

After thinking about it a bit, it’s a federated network, you can choose the pump server that they want, you can create a fake account, you don’t need to provide personal information… and it’s another way to promote one of the social networks where I live. Other systems link to facebook, twitter, or other places, and nobody complains! Even when those services don’t have any of the advantages of being in a federated free-software powered social network :)

If anybody don’t want to use but wants to comment, other ways to reach me or the related blog post are:

  • Comment in the GNUSocial fediverse: the post announcing the thread for each blog post will be propagated to my account too.
  • While I’m still using Twitter, they can comment on the corresponding tweet, but beware that I’m seriously thinking about closing my account there, since I rarely use it and don’t like the platform.
  • Drop me an email, I can post the comment on behalf of that person (if you want your comment to be “anonymous”, please state it in the email).

So now it’s decided, and this is the first post of this new experiment. This text is posted in too, and you can comment there :)

Posted in My experiences and opinion, Tools | Tagged , , , , ,

Upgrading my laptop to Debian Jessie

Some days ago I decided to upgrade my laptop from stable to testing.

I had tried Jessie since several months, in my husband’s laptop, but that was a fresh install, and a not-so-old laptop, and we have not much software installed there.

In my netbook (Compaq Mini 110c), with stable, I already had installed Pumpa, Dianara and how-can-i-help from testing, and since the freeze is coming, I thought that I could full-upgrade and use Jessie from now on, and report my issues and help to diagnose or fix them, if possible, before the freeze.

I keep Debian stable at work for my desktop and servers (well, some of them are still in oldstable, thanks LTS team!!), and I have testing in a laptop that I use as clonezilla/drbl server (but I had issues, next week I’ll put some time on them and I’ll write here my findings, and report bugs, if any).

So! let’s go. Here I write my experience and the issues that I found (very few! and not sure if they are bugs or configuration problems or what, I’ll keep an eye on them).

The upgrade

I pointed my /etc/apt/sources.list to jessie, then apt-get update, then apt-get dist-upgrade. (With the servers I am much more careful, read the release notes, upgrade guides and so, or directly I go for a fresh install, but with my laptop, I am too lazy).

I went to bed (wow, risky LArjona!) and when I got up for going to work, the laptop was waiting for me to accept to block root from ssh access, or restart some services, and so. Ok! the upgrade resumed… but I have to go to work and I wanted my laptop! Since all the packages were already downloaded, I closed the lid (double risky LArjona!) unplugged it, put everything in my bag, and catched the bus in time :)

At the bus, I opened again the lid of my laptop (crossing fingers!) and perfect, the laptop had suspended and returned back to life, and the upgrade just resumed with no problem. Wow! I love you Debian! After 15 minutes, I had to suspend again, since the bus arrived and I had to take the metro. In the metro, the upgrade resumed, and finished. I shutdown my laptop and arrive to work.

Testing testing :)

In a break for lunch, I opened my brand new laptop (the hardware is the same, but the software totally renewed, so it’s brand new for me). I have to say that use xfce, with some GNOME/GTK apps installed (gedit, cheese, evince, XChat…) and some others that use Qt or are part of the KDE project (Okular, Kile, QtLinguist, Pumpa, Dianara). I don’t know/care too much about desktops and tweaking my desktop: I just put the terminal and gedit in black background, Debian wallpaper is enough dark for me so ok, put the font size a bit smaller to better use my low-vertical-resolution, and that’s all, I only go to configure something else if there’s something that really annoys me.

My laptop booted correctly and a nice, more modern LightDM was greeting me. I logged in and everything worked ok, except some issues that follow.

Network Manager and WPA2-enterprise wireless connections

I had to reconfigure some wireless connections in Network Manager. At the University we use WPA2-enterprise, TTLS + PAP. I had stored my username and password in the connection, and network manager seemed to remember the username but not the password. No problem, I said, and I wrote it when it asked, but… the “Save” or “OK” button was greyed out. I could not click it.

Then I went to edit the connections, and more or less the same, it seems that I could edit, but not save the (new) configuration. Finally, I removed the wireless connection and created it again, and everything worked as a charm.

This, I had to do it with the two wireless in my University (both of them are WPA2-enterprise TTLS + PAP). At home, I have WPA2 personal, and I had no issues, everything worked ok.

This problem is not appearing in a fresh install, since there are no old configs to keep.

Adblock Plus not working any more

I opened Iceweasel and I began to see ads in the webpages that I visited. What? I checked and Adblock plus was installed and activated… I reinstalled the package xul-ext-adblock-plus and it worked again.

Strange display in programs based on Qt

When I opened Pumpa I noticed that the edges of the windows where too rough, as if it was not using a desktop theme. I asked to a friend that uses Plasma and he suggested to install qt4-qtconfig, and then, select a theme for my Qt apps. It worked like a charm, but I find strange that I didn’t need it before in stable. Maybe the default xfce configuration from stable is setting a theme, and the new one is not setting it, and so, the Qt apps are left “barefoot”.
With qtconfig I chose a GTK+ Style GUI for my Qt apps and then, they looked similar to what I had in stable (frankly, I cannot say if it was “similar” or “exactly the same”, but I didn’t find them strange as before, so I’m fine).

Strange display in programs from GNOME

Well, this is not a Jessie problem, it’s just that some programs adopted the new GNOME appearance, and since I’m on xfce, not on GNOME, they look a bit strange (no menus integration, and so). I am not sure that I can run GNOME (fallback, classic?) in my 1 GB RAM laptop, I have to investigate if I can tweak it to use less memory, or what.

I’m not very tied to xfce, and in fact it does not look so light (well, on top of it, I don’t run light programs, I run Iceweasel, Icedove, Libreoffice, and some others). At work I use GNOME in my desktop, but with GNOME shell, not the fallback or classic modes, so I’m thinking about giving a chance to MATE or second chance to LXDE. We’ll see.

Issues when opening the lid (waking up from suspend)

This is the most strange thing I found in the migration, and the most dangerous one, I think.

As I said before, I don’t tweak too much my desktop, if it works with the default configuration. I’m not sure that I know the differences between suspend, hibernate, hard disks disconnections and so. When I was in stable, and I closed the lid of my laptop, it just shutdown the screen, then I heard something like the system going to suspend or whatever, and after some seconds, the harddisk and fans stop, the wireless led turns off, and the power led begins to blink. Ok. When I open the lid, then it was waking up itself (the power led stayed on, the wireless led turns on, and when I tap the touchpad or type anything, the screen was coming, with the xscreensaver asking for my password). Just sometimes, when the screen was turning on, I could see my desktop for less than a second, before xscreensaver turns the background black and asks for the password.

Now since I migrated to Jessie, I’m experiencing a different behavior. When I close the lid, the laptop behaves the same. When I open the lid, the laptop behaves the same, but when I type or tap the touchpad and xscreensaver comes to ask the password, before than I can type it, the laptop just suspends again (or hibernates, I’m not sure), and I have to press the power button in order to bring it back to life (then I see the xscreensaver again asking for the password, I type it, and my desktop is there, the same as I left it when I closed the lid).

Strange, isn’t it?

I have tried to suspend my laptop directly from the menu, and it comes to the same state in which I have to press the power button in order to bring it back to life, but then, no xscreensaver password is required (which is double strange, IMHO).

Things I miss in Jessie

Well, until now, the only thing I miss in Jessie is the software center. I rarely use it (I love apt) but I think it makes a good job in easing the installation of programs in Debian for people coming from other operative systems (specially after smartphones and their copied software stores became popular).

I hope the maintainer can upload a new version before the freeze, and so, it enters in the release. I’ll try to contact him.

Update 2014/07/20: Julian Andres Klode, maintainer of software-center, just replied (see his comment below) and pointed to GNOME Software (gnome-packagekit) as alternative. I just installed and it looks neat and nice. I’m very happy!


I have a Debian stable laptop at work (this one with xfce + GNOME), I’ll try to upgrade it and see if I see the same problems that I notice in mine. Then, I’ll check the corresponding packages to see if there are open bugs about them, and if not, report them to their maintainers.

I have to review the wiki pages related to the Jessie Desktop theme selection, I think they wanted the wallpaper to be inside before the freeze. Maybe I can help in publicity about that, handle the votings and so. I like Joy, but it’s time to change a bit, new fresh air into the room!

Posted in My experiences and opinion | Tagged , , , , | 7 Comments

New GPG Key!

Achievement unlocked: I have a new GPG key:


pub   4096R/7E4AF4A3 2014-07-13 [caduca: 2016-07-12]
Fingerprint = 445E 3AD0 3690 3F47 E19B  37B2 F226 7446 7E4A F4A3
uid                  Laura Arjona Reina <>
uid                  Laura Arjona Reina <>
uid                  Laura Arjona Reina <>
sub   3072R/CC706B74 2014-07-13 [expires: 2016-07-12]
sub   3072R/7E51465F 2014-07-13 [expires: 2016-07-12]
sub   4096R/74C23D6E 2014-07-13 [expires: 2016-07-12]

The master key is 4096 bit, stored in a safe place, and 2 subkeys 3072 bit, stored in an FSFE Smartcard (I cannot store 4096 keys there).

I have carefully used the FSFE SmartCard Howto and “Creating the perfect GPG keypair” by Alex Cabal for strenghtening hash preferences and creating revocation certificate.

It seems everything works as intended. Passphrase is strong and this time I will not forget it.

As first celebration, 1/2 lt icecream is waiting for me after dinner :)

People knowing me and around Madrid, please send me an encrypted mail as test or normal communication, and ping me to meet and sign keys :)

One more step towards involvement in Debian and free software, controlling my digital life and communications, and becoming familiar with these technologies so I can teach them to my son as ‘the natural way’.


Posted in My experiences and opinion, Tools | Tagged , , , , , , , , | Leave a comment

Some experiences, and TODO, about fonts


I don’t know much about fonts, I just use the stock ones that come with my system. From time to time I have issues with docs that others create, and use other fonts. This post is about my plans on learning a bit more and, at least, know how to solve those issues, if it’s possible, while staying in the bright side (the free-software / free font side).

Long version

The context

I use Debian, LibreOffice, sometimes Inkscape, and LaTeX. One of my favorite hashtags is #iloveplaintext, I don’t know much about design in general, and fonts and typography in particular. I didn’t change the fonts in my desktops (only reduced the size in the laptop, to be able to read a bit more in my low resolution screen), I rarely change the font in Writer (maybe from Liberation Serif to Liberation Sans), I never changed the font in a LaTeX document or LaTeX beamer presentation (I write boring documents, I know) and when I paste from the web, it’s usually because I want to read a long article so I paste as plain text in gedit and print it or save it.

So I’ve never felt to learn more about fonts, it just works, and covers my needs, (or not, but I mostly could live with the issues).

Then a friend in the network, Adrián Perales, published a blog post about Typography (in Spanish) that I liked very much, and I began to think (and remember) some of the issues that I have from time to time with fonts.

Issue #1: League Gothic: a free font that was not installed in my system

Today, again in the network, I discover that the FSF published a poster “Privacy is impossible without free software”, in SVG format, but it didn’t look well when I opened it with GIMP, clearly due to some missing font.

Nice that SVG format is a plain text format (XML)! So I opened the file with gedit and searched for the text string whose font was missing. It was “League Gothic” font, of course a free software font, but not packaged in Debian, it seems.

No problem. I downloaded the font, copied the files in /usr/share/fonts and problem solved.

Issue #2: Book Antiqua: a non-free font (must find equivalent)

A document made with Microsoft Word that one friend sends to me so I review and resend (in PDF format) to other people. It’s a leaflet, and it has text in Arial, in Tahoma, and in Book Antiqua. When I open it with LibreOffice the aspect is wrong (the substitutes are not the same size so some breaking lines and so).

Book Antiqua is not free. I learned that it’s an imitation of the “Palatino” font, and that a similar font in the free software systems is “URW Palladio”. In Writer (LibreOffice), I went to Tools > Options > Fonts and declared the equivalence of the two fonts, so the program would use URW Palladio as a substitute of Book Antiqua. I opened again the document and it was quite better, very similar to the original aspect.

I didn’t bother in changing the text in Arial or Tahoma, since the substitutes that LibreOffice used were quite good. But I bookmarked this page: “A Web Designer Guide to Linux Fonts” for remembering the different fonts that I can try to emulate the Windows ones.

I also know that I can install the “Microsoft Core Fonts for the web” since they are packaged for Debian in the contrib archive. But I’ll try to survive without them for now (until now, I didn’t bother, why should I now that I have the substituting guide?). In other news, I got impressed that MS Core Fonts is #4 in “Most downloads all over the time” in SourceForge, with more than 450 million downloads \o/

Issue #3: Installing a new free font in Debian

So I decided to install one of the fonts that Adrián Perales recommended in his blog post, “Linux Libertine”. Since it is packaged for Debian, it’s super easy:

# apt-get install ttf-linux-libertine

(my LibreOffice was opened, so I closed it and opened again, and the font was there ready for use).

Issue #4: Use a different font in LaTeX

Well, as always, there is not one but many ways to do that in LaTeX. My intuition tells me that if there is a LaTeX package for the font that I want to use, it’s probably a nice idea to just use it.

So I searched about “Linux Libertine” in LaTeX and yes, there is a package (and you can find a very interesting font guide in “The LaTeX font catalogue”). I installed the package texlive-fonts-extra, and then, I added two lines in my LaTeX document:


Compiled, and the resultant PDF was using Libertine font instead of Computer Modern.

TODO (and/or wishlist)

When opening a document that uses a font not present in my system, I maybe wouldn’t notice that a font is missing and I see “a substitute” (and maybe not the best one)!. It would be nice that the program tells the user “This file uses the font X, and it seems it’s not in your system. I’ll use font Y as a substitute”.

I’m not sure if there is a standard way to know which package contains a certain font. I use a web search engine to try to find out, and the websites that I linked in the article.

I have to investigate and learn a bit more about free fonts equivalents to the ones that other people use, and fonts in general, so my documents are more beautiful and people gets interested to know about the tools that I use to produce them.

Well, I’ve written a long blog post (thanks if you read until here!), solved some issues, and try some things, but not even capturing a snapshot to show here! It seems that I’m still lazy, forgive me… I hope at least this #plaintext is useful for you :)

Posted in My experiences and opinion, Uncategorized | Tagged , , , , , , , , | 4 Comments

I need a new GPG Key


This key is no longer usable:

pub  2048R/9C6C32C7 2014-02-16 Laura ARJONA REINA <>
                               Laura ARJONA REINA <>
                               Laura ARJONA REINA <>
                               Old key 0xE20474C3 no longer valid: lost secret key. (Clave antigua 0xE20474C4 ya no es válida: clave secreta perdida.)
Fingerprint=F29B A6D8 D1DC A30F 3E34  53DF 5CD1 FDE5 9C6C 32C7

Please act as if it does not exist. The reason is that I cannot remember the passphrase of my master GPG key. This is why I didn’t signed any of the keys of people that I met in Barcelona MiniDebconf. My geek self steem is a bit undermined, but feeling sorry for myself accomplishes nothing, so I think I will not hide problems and move on.

I’ll post about my new key soon.

Long version

The bad news

The bad news are many.

I generated my key in February 2014 (I generated my very first GPG Key in 2010, as an exercise, but never used it again, and in 2014 I couldn’t remember the passphrase, and the paper where it was written, had got lost before). Anyway, February 2014, new GPG key. I followed the Howto in FSFE wiki in order to use my brand new FSFE SmartCard. I have to admit that I didn’t understand very well how all this works, and it seems that my main mistake was to miss-understand that since I was using a smartcard, with a PIN and an Admin PIN, remembering passphrases was no longer required (only remembering the PINs). I was WRONG! PINs are for daily use with the subkeys of your card (for encryption, decryption, and signing stuff different than GPG keys), you still have the master key that is not in the card (but in a separate medium in a safe place), and for the master key we still use passphrase, and the master key is the one that allows signing keys from other people, and changing, revoking, adding subkeys, etc.

So, it seems I used a random passphrase that I didn’t write down and I could not remember, due to this terrible missunderstanding.

Another bad news is that I didn’t generate a revocation certificate (well in fact, I was going to generate just before signing the first key of another person, and then I realize that it was asking the passphrase, hence the problem). First I thought that it should ask the PIN and my smartcard setup was wrong or anything, but after reading and interchanging emails with other people more experienced than me, I realized that I should remember that passphrase. And I couldn’t. So there are no revocation certificates :(

Another bad news is that some (awesome) people already signed my key, and it will be difficult to meet again so they sign my new key. I was thinking about applying to the Debian new member process this summer, and I have not many opportunities to meet Debian people in person, so I gathered quite a lot signs last March in MiniDebConf Barcelona. Now I’m again at the starting point (well, this is perfect excuse to try to join a Debian event soon :) I don’t know how I would manage to do it, but I’ll try!).

The good news (Always look at the bright side of life…)

The main good news is that I didn’t used the GPG key for signing/encrypting important stuff: I just interchanged some encrypted mail as test with friends, and signed some mails sent to public mailing lists (for signing mails I was using the smartcard PIN so I didn’t notiece the problem).

The other main good news is that my key is not compromised (well, you can never be sure, but I think so). I cannot revoke it but I’m quite sure nothing important depends on that key.

Other good news is that I have read a lot about how GPG works and how the smartcard works, keys and subkeys and all this stuff, and I think now I understand everything quite better. I have learned (and also tried) tools as nasty, John The Ripper and rephrase to try to recover the passphrase. I didn’t recover it, but at least I know that all those (free software) tools exist and how to use them :)

And I have learned the lesson: to be extremely careful, test that everything works (not just try one or two things, test everything) and to not leave work for later (and for example, generate the revocation certificates just right after the keys).

Next steps

I’ll send a message to all the friends that signed or downloaded my old GPG key apologysing and pointing to this blog post so they learn the details about why I create a new key.

I’ll take this opportunity to download and use the Tails (The Agnostic Incognito System, a Debian derivative which is a “live system” and is focused in protecting privacy and anonymity of the user). Tails will be my safe, network disconnected environment to generate the new keys and do the sensible tasks with them. I think this time I will create my main key 4096-bit long (since now I understand that the main key is not stored in the card) and the subkeys can be 2048-bit or 3072 to fit in the smarcard.

Well, hands on! I’ll write another blog post when my new GPG keys are ready. I hope third time’s the charm!

Note: Thank you to all the people that gave me advice and support (knowledge, links, moral support) about this issue. You know who you are!

Posted in My experiences and opinion, Tools | Tagged , , , , , , , | 2 Comments