Hi as Kai just asked me to make it public: I did reject his NM application on 21 Jan 2008, 21:17 UTC. Summary: - He is rejected, its a weak rejection. - He can reapply to NM, after at least 6 months have passed - I haven't said anything about DM, so in case he finds advocates and there aren't multiple DDs issuing a veto on his DM application he can get DM status. - There is currently a discussion phase in the NM committee, and as its a weak rejection the committee may decide to override my rejection. Usually that phase ends after about a week, where FD goes and deletes the NM entry for the rejected applicant. Quoting relevant parts from the rejection "howto" mail: Applicants can put forward arguments against their rejection and they can also ask Debian developers to write references for them and these will be taken into account during the discussion of the NM committee. During the NM committee discussion, a member can only vote to override the DAM's decision if he has arguments for this. Committee members are AMs that are active (ie. haven't retired) and that approved an applicant in the last six months. Weak rejections are for applicants I'm unconvinced should become a developer. The NM committee can override my decision if 1/4 of the committee decides that the applicant should be approved. My rejection mail: --8<------------------------schnipp------------------------->8--- I'm now rejecting Kai Hendry according to the Guidelines at [1], this is a weak rejection. Sorry for the delay in doing this, but writing a rejection isn't an easy task and takes lots of time. Reason: First a bit of history: Kai had multiple AMs during his process. He went, at least, from Marc 'HE' Brockschmidt to Moray Allan and then Moritz Muehlenhoff, who finished the process with him. Marc and Kai had "agreed to disagree", up to the level where Marc as the AM did want to reject him. Frontdesk reassigned to Moray and later to Moritz. Now, there are multiple points that made me decide to reject Kai for now. One goes back to 2004, where it escalated all the way up to me as DAM, reaching me in early Februar 2005. The relevant blog entry from Kai is at [2], my reply to his mail is in [3], basically I asked for a new key. When Kai got reassigned from Marc to Moray, Moray went and asked him about his key. Moray: --8<------------------------schnipp------------------------->8--- On Thu, 2005-02-03 at 16:53 +0200, Kai Hendry wrote: > I do not have a laptop or a PC, which I think are needed to fulfil your > conditions. > My machine is in Finland, hosted by Teemu. It's all I have. I usually > work through a putty connection from abroad. Sorry, I don't follow this -- how have you been signing your messages? (I can't see how you can have had secure access to your key in Finland.) --8<------------------------schnapp------------------------->8--- The following two mails are from Kai to Moray. Moray had a mail in between, but the relevant part is quoted from Kai, so I left that out. --8<------------------------schnipp------------------------->8--- On Sat, Feb 12, 2005 at 08:49:52PM +0000, Moray Allan wrote: > > My machine is in Finland, hosted by Teemu. It's all I have. I usually > > work through a putty connection from abroad. > Sorry, I don't follow this -- how have you been signing your messages? > (I can't see how you can have had secure access to your key in Finland.) Sorry, I did miss this question. I sign my messages via ssh to my box. Is "secure access to your key" defined somewhere? Or is it as subjective as I think it is? My box is hosted with Teemu, a DD. Yes, he can root it and have access to my key. My previous AM says I must have a PC in that case. Since I am travelling, a laptop. But I argue a laptop is less secure while travelling. USB key stick is just as bad, if not worse. About my access to my box. When I ssh I am careful. I know I shouldn't take it personally, but I was almost insulted when you asked me if I access my box from an infected machine. Of course I try my very best to minimize this possibility (remember it is always a possiblity), by using live CDs. AVG free edition is otherwise used when this is not possible. I hope we won't dwell on this subject too much. I know enough about security to know that paranoia shouldn't stop me working. --8<------------------------schnapp------------------------->8--- --8<------------------------schnipp------------------------->8--- On 2005-08-07T21:57+0100 Moray Allan wrote: > You wrote on your blog: > > This will be the first time I’ve actually owned a laptop. So I’ll > > regenerate my GPG key and always carry it around with me, so I can > > become a proper DD. > What's the key ID for your new key? Is it signed by a DD? 64399BE2 http://keys.se.linux.org/pks/lookup?op=vindex&fingerprint=on&search=0x8917ABEA64399BE2 It is signed by Daniel Stone. > > On second thought I hate that idea. I hate GPG. Those key signings are > > BORING ffs. I wish uploads were done in some WIKI fashion. Whereby the > > Debian community could just approve a diff or something. That’s a low > > barrier to entry for contributions. > Can you say what you mean here at greater length? [DAM-ADDITION: Refers to the blog post [4] ] GPG would still need to be used, but hopefully much less if we had some sort of wiki interface. Anyone could upload a diff upto say /wiki The wiki would show the changes, much like Wikipedia It would need say one or two DDs to approve the change and then it gets uploaded. People who have contributed a couple of patches can also approve patches in the same way Slashdot awards moderation points. --8<------------------------schnapp------------------------->8--- Also, JFTR, the key itself now fulfills the ID requirements in NM. Earlier on it was "only" signed by an emeritus DD. Now, leaving the "doesn't seem to understand how or why the Web of Trust works for/within Debian"-feeling alone, looking at his contributions to Debian and his NM process itself. A very short bit after Moritz, as the third and final AM, send in his report, DAM got a mail from Moray, content quoted in [5]. Also, Moritz decided to not ask questions again for the process, letting Kai manage a transition instead (lesstif1 -> lesstif2). As far as I read it went pretty well, but all together (the report with everything, the various mails/pointers to IRC messages I got) it doesn't make me feel like handing out the account yet, as I think there are things missing. A few points from that are listed below: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=322116 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=359838 06-02-2007 (!) hendry is Kai Hendry on #debian-release at server xenon.oftc.net 06-02-2007 <hendry> http://packages.qa.debian.org/w/wordpress.html # since there is no stable entry, can I assume there is no Wordpress in etch? 06-02-2007 <suihkulokki> hendry: etch is testing 06-02-2007 <jvw> ... etch didn't release yet 06-02-2007 <hendry> i am wondering why there isn't a stable entry 06-02-2007 <hendry> ah, i know 04-04-2007 <hendry> how do I get wordpress 2.0.9 src from Testing Proposed Updates? 13-01-2008 <hendry> if i want to build an unstable package for etch, i have the edit the debian/changelog manually and s/unstable/stable right? i expect pdebuild to do this for me Kai: This reject is private (only you, your AM and the nm-committee can read it). We wont make it public - except you explicitly ask for that or do it yourself. Footnotes: [1] http://lists.debian.org/debian-newmaint/2003/10/msg00001.html [2] http://natalian.org/archives/2004/08/02/what-a-weekend/ [3] --8<------------------------schnipp------------------------->8--- First let me summarize what I know about this: - You lost your private key (thats were cd backups help) - You had a printout of an ascii version - Scanned that in at a machine of a friend of a friend. - Used some OCR Software on a system from $someone to get most of the scan in text form. - You and another one went through the whole file looking for errors in that file. Second: I wouldnt ever put my secrect key on a machine I do not fully control. In fact it isnt even on machines I do control but where others have access to. So much for your "Where do we draw the line", now you know where mine is. For your key: No, it is not considered safe anymore. Please create a new one, get it signed by at least one DD and use that for Debian. I would also revoke the other one, but its up to you. Your email address says helsinki.fi, so I assume India is only a temporary thing for you. For how long will you stay there? You know that in July there is the Debconf in Helsinki, where you can meet a lot of DDs, getting sigs and stuff. And Helsinki itself has other DDs there, so it shouldnt be a problem if you get back. --8<------------------------schnapp------------------------->8--- [4] http://natalian.org/archives/2006/05/26/no-gpg/ Read all, ie. comments too. [5] --8<------------------------schnipp------------------------->8--- I see that the AM Moritz Muehlenhoff has now marked Kai Hendry as approved in the db (though I haven't seen any public report). I was reminded to check his status today after seeing this exchange on #debian-devel: <hendry> i have package here that has great copyright file in LICENSE <hendry> if I read that into a Debianised copyright, then fine. but they will be updating their LICENSE over time ... <pusling> you of course have to check copyright and update the cpoyright file on every upstream release <hendry> pusling: that's painful <hendry> :) <pusling> else you get a serious bug filed against you. Kai still seems to be showing the same worrying gaps in his understanding of package maintenance that he demonstrated while I was briefly his AM; it doesn't seem to me that he's ready to have unsupervised upload rights in Debian. --8<------------------------schnapp------------------------->8--- --8<------------------------schnapp------------------------->8--- -- bye Joerg <liw> er, *not* what I meant, is what I meant
Attachment:
pgpWNZ0kgGR5U.pgp
Description: PGP signature