-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello everyone,
world-wide changes due to COVID-19 prompted us to conduct a long-overdue
review of the GPG key requirements for people applying for Debian
Maintainer (DM) and Debian Developer (DD) membership status.
Before asking Debian Keyring Maintainers [KDO] to add a key to a
keyring, and Debian System Administrators [DSA] to create an account for
a person, as Debian Account Managers we need to enforce some technical
requirements on the GPG key, and perform some identity checks on the
person who is applying.
Technical requirements
- ----------------------
Technical requirements are unchanged. For completeness, they are:
* Minimum key size and acceptable algorithms are actually the domain of
keyring-maint, and we just check those for them.
At the time of writing this, a new key must be larger than 1024bits,
ideally at least 4096bits, and capable of hashes stronger than SHA1.
Please check [KDO] for more recent information.
* An encryption subkey must be present, since various parts of our
infrastructure require it.
* A signature subkey must be there, since various parts of our
infrastructure require it. Also, it is needed to build up trust (see
below).
* At least one User ID (UID) must have a working email address.
Identity requirements
- ---------------------
We are explicitly formalising a new requirement:
The person controlling the GPG key needs to have an established track
record of work within/for the project.
This was effectively already checked by Advocates and Application
Managers. It now becomes the primary criteria for granting a key
effective trust within Debian.
We are explicitly formalising also another requirement:
A natural person may only have one identity in Debian.
This was effectively enforced before by requiring cross-signing keys,
and relying on people doing the cross-signing to have key signing
policies strong enough to reliably connect a key to a person.
Checking an established track record
- ------------------------------------
* Sign your work
For anyone doing package upload works, or other kinds of work that
require GPG key signatures, it is fairly straightforward to attribute
activity to a key.
For other kinds of work in Debian where a GPG key is not normally used,
like git commits or Merge Requests, DebConf work, and many others, it
might be harder to prove trust in the key.
The general idea is: sign your work occasionally if possible. You can
sign emails or git commits, for example.
* Key endorsements
In addition to seeing the reputation for a key based on signatures on
Debian work, we introduce key endorsements. The idea is to allow
advocates - and any other Debian Developer - to witness that they have
interacted with a DM/DD applicant using the GPG key that they are using
for the process.
The process, to be implemented on nm.debian.org, and restricted to
Debian Developers, will be something like this:
1. lookup a person's key
2. click on a button saying something like "I have interacted with this
person with this key"
3. add a short note with details.
That list of endorsements will be public. Each endorsement will be
timestamped and it will age over time, so that, for example,
endorsements from 3 years ago would not be valid for NM now.
We expect people to endorse keys responsibly.
We also expect that any advocate would be able to provide such an
endorsement, as in advocating they are bringing their experience in
interacting with the person first-hand. There may be corner cases in
which an advocate cannot do that, in which case we will be curious for
an explanation.
For a DM or DD process to finish we require at least 2 recent
endorsements.
As soon as key endorsements will be implemented, we will stop requiring
a minimum number of key signatures on nm.debian.org.
Checking that a person has only one identity in Debian
- ------------------------------------------------------
Having a key cross-signed by Debian Developers was previously
effectively a primary requirement. It now becomes one possible
implementation detail.
If your key is alredy cross-signed with at least two Debian Developers,
we still consider it good enough: what worked before continues working.
If your key has no trust path towards the Debian Web of Trust when you
are applying, we will require that you GPG-sign a statement saying that
the identity of the person controlling the key corresponds to what is in
at least one key User ID, and that the person does not already have a DM
or DD account under a different name.
Key endorsements mean that one can join Debian with a key that is not
connected to their legal identity - as long as the key is connected to a
significant history and reputation within Debian. We however still
strongly encourage people to cross-sign keys as much as possible.
Miscellaneous considerations
- ----------------------------
- We do not intend to interfere in any way with how people conduct key
signing. Each person has and keeps having their own policy for
signing keys.
- This mail effectively moves the entry barrier from "meet 2 random
people, somewhere" to "you are represented by the work you did and do
in Debian". We believe that this fits better both the current
COVID-19 situation, and the general do-ocracy attitude of Debian.
- These changes only affect the introduction of a new person and their
associated key into the project. Project members are still advised to
get cross-signatures on their key to help strengthen our web of trust,
and to ensure that should their key need replacement they have a
smooth path to do so, rather than requiring a lengthy process of
verified activity with a new key before it can be accepted.
- While in some cases it may be useful to know a person's real identity,
what we as a project are most concerned with is a good track record of
doing useful things, that has built up a good reputation. It is more
beneficial to us to track this aspect of an individual than any
government assigned ID, as it requires continuous commitment over a
certain time.
Footnotes
- ---------
[KDO] https://keyring.debian.org/creating-key.html
[DSA] https://dsa.debian.org/
- --
Debian Account Managers Debian Account Managers <da-manager@debian.org>
GPG key rsa4096/57731224A9762EA155AB2A530CA8D15BB24D96F2 2016-06-15
-----BEGIN PGP SIGNATURE-----
iQJKBAEBCAA0FiEEV3MSJKl2LqFVqypTDKjRW7JNlvIFAl9dxd4WHGRhLW1hbmFn
ZXJAZGViaWFuLm9yZwAKCRAMqNFbsk2W8qWfEAC5Gl7b/OnvoIKDVicHVfwxHd9T
nBS0HDiR5pTZZxEoY5bj/1/OLFJ4hYECKJ/VTnhuKEkIeifp740rezsgUdTC89Gx
WNnh8bNhmRz8nmHLNIINPS98p9Thej7e1c3nFHIqkgoVn/640XpyJdgetOW2GCmb
/tOZJ7SELpWPVsZdkswdRSRRtPSHR2stcAGfL8pBawz+vjlavCoodef4eMPcxg1S
GEc26OWUDebW780fOLoC6UH5mP5drWASmI5uieynWfPya3PSWnf+MB2kdfJhx6Eg
MpVHRWGfiEvx1/IicjgSTbCfpbhGlsINH9S4NseRuxj3iUy9lUeJM6ZvqZx2hXwJ
JW/KmuT14x4T+HTUL83U5QkEkx9ZHVc3mH2/d1YrKYSCfYn10DnlZNygDffJrcsC
dRsb2Ewmu/LwbRuskbveY6Kzm8j7xxhmDrjNG6h7vqT/NupAB0spAXJpjx3kqQ7X
zQY/G2umRfAyoZdWdJjIoVCmxd925S3e9ibONv0s0synC3mKplXWriBqS3pZIwJQ
Q9RW6Ktmaz6iQrloJykT7quu1PhAMGWxz5AqGf5PNide14Bg+viRd1Zh53gzNKVC
gYI3wtEDjbPenlLG3iAudGxGhk+v0CvkzMM9F9dM6YW8fR6FDKuWVlRHLIlO4CQk
5I8oQqmXj1irGFYfQw==
=oSL3
-----END PGP SIGNATURE-----
Attachment:
signature.asc
Description: PGP signature