On Thu, May 31, 2007 at 06:37:53PM +1000, Anthony Towns wrote: > First, the "Debian Maintainers" concept > [..] > I think the process should involve: > - automated application process This shouldn't be tricky. Some webpage where the applicant applies and then they point some developers at a page so that they can recommend/advocate him to be a DM. Very similar to nm.debian.org advocate bits. e.g. https://nm.debian.org/nmadvocate.php?email=hgjghj%40hotmail.com (which I presume is a fake application for NM but still) The applicant would provide their keyid, email, name etc. I think technically this is easy but we need to define who can advocate and how much contact with the potential DM is needed (see below). > - as close as feasible to automated keyring maintenance jetring exists and was pretty much designed with this in mind so this should be easy. The format for the changesets so far seems to be: Changed-By: Anthony Towns <ajt@debian.org> Comment: adding holger as debian-maintainer Date: Mon, 26 Feb 2007 18:25:59 +1000 Advocates: ajt - http://lists.debian.org/debian-newmaint/2007/01/msg00037.html kaol - http://lists.debian.org/debian-newmaint/2007/01/msg00038.html [..] KeyCheck: Receiving and checking key pub 1024D/AC583520 2004-05-18 Key fingerprint = 480E 51BA FB08 CB41 75CC 91B1 5072 D036 AC58 3520 uid Holger Levsen <holger@layer-acht.org> [..] NM-Page: https://nm.debian.org/nmstatus.php?email=debian%40layer-acht.org Action: import Data: -----BEGIN PGP PUBLIC KEY BLOCK----- [..] > - minimal requirements: gpg keyring signed by either one or two > developers, recommendation by a developer, We have keycheck.sh [0] already (and it's already used in the above changeset). I think we want some standardised form of recommendations from developers. How about asking: You're receiving this mail because you said you would recommend: Applicant: Joe Bloggs <joe.bloggs@example.org> to be a Debian Maintainer, that is to get a key in the DM keyring and be allowed to upload packages to the archive. As this is a privileged position, we'd ask that you only recommend people who deserve it and that you take the time to fill out the questions below. Be sure to sign this mail with your GPG key. - Is the applicant in NM? - If yes, are you their AM? - Have you sponsored packages into the archive for this applicant (if so describe the quality of the work and the amount/frequency of contributions)? - Have you worked on a packaging team for this applicant (if so describe the quality of the work and the amount/frequency of contributions)? - Have you reviewed other work for this applicant (if so describe it)? The responses are easy to collate and would be sent to some debian mailing list to form the Advocate: bit of the gpg changeset above. > use of existing fields such as "Maintainer:" and "Uploaders:" to > control access, no provision for uploaders to do NMUs or upload > NEW packages etc aj, you're probably best placed to talk about how easy it is to implement the dak changes needed. > - policies developed by consensus and implemented individually by > developers, in a similar manner to policies for sponsored > uploads at present, rather than an individual or group setting > policy or approving applications (like DAM or NEW processing) It may be hard to come to an agreement on who qualifies but I'd suggest: - anyone who is all the way through NM (i.e. after the AM report has been checked by Front Desk) and applies would qualify almost automatically given they can get a couple of developers to sign off the above recommendations. - anyone that is strongly recommended by at least 2 developers who have sponsored in packages for the applicant should be allowed into the DM keyring. - anyone that is strongly recommended by at least 2 developers who have worked with the applicant on a packaging team and have seen the quality of their commits should be allowed into the DM keyring. - or some combination of the above. Does there need to be a period of time for the work? 3 months of sponsorship/working with the applicant? Less? We don't want to put people off but we need to trust them to a certain extent. If it were easy for, say, any 2 developers to get an applicant removed from the DM keyring by sending signed messages in then it would be easy to lower the bar to applicants. I'm not sure about other work that might qualify. Since we're only talking about the ability to upload it seems to make sense to restrict the qualification to packaging work. Comments? Simon. [0] http://alioth.debian.org/plugins/scmcvs/cvsweb.php/templates/keycheck.sh?cvsroot=nm-templates -- oOoOo "1 girl was just abducted." - Mulder "Kidnapped." - Scully oOoOo oOoOo "Potato, potato.." - Mulder oOoOo oOoOo oOoOo
Attachment:
signature.asc
Description: Digital signature