[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[nm.debian.org] Key endorsements are live

Hash: SHA256


As it was announced on a previous message[0], we have now implemented
Key Endorsements on nm.debian.org, for people in the process to become
either Debian Maintainers or Debian Developers.

The principle is to give Debian Developers a way to tell that they've
worked with a given person, and that enough of that work was signed by a
given GPG key, that the person controlling that key was definitely the
person doing that work.

When logged into nm.debian.org and visiting a person's page[1], every
Debian Project Member will see a new button just on the right of the GPG
fingerprint, allowing to see the person's endorsements on their
currently active fingerprint[2], and to submit one. An endorsement is a
GPG-signed statement giving some context about what work you did with
that person with that specific key.

The endorsements are a long-needed step forward in the way we build
trust on people and their keys. It was made urgent by the travel and
meeting restrictions caused by the recent COVID-19 pandemic, which
amplified an issue we've always had when prospective Developers had
difficulties in meeting existing Developers to enter Debian's web of
trust. Endorsements are complementary with signatures. A signed key will
be valid without endorsements, and a sufficiently endorsed key will be
seen as valid even without signatures. A key with one signature and some
endorsements will also be seen as valid.

What endorsements are

 * A way to witness the use of a given key while working with a given
   person. We don't want to set specific rules about what is worth of an
   endorsement, but we consider that some short details about he kind of
   work and the kind of key usage should be visible and reported in the
 * Decaying over time: we'll see very old endorsements as less reliable
   than recent ones. If you've worked with someone and endorsed them a
   long time ago, but still worked with them between then and now, it
   could make sense to re-endorse them.

What endorsements are not

 * Substitutes to Key signatures. They are not intended to connect
   identities with a key, only to connect work reputation with a key. We
   still encourage people meeting face to face to sign each other's key,
   whenever it is or will be possible. Note that signed keys won't
   require endorsements. Both methods are complementary.
 * Advocacies: advocacies are about witnessing that a person is
   experienced and responsible enough to have a given status in Debian.
   Key endorsements are about witnessing having worked with a given
   person using a given key. In both cases there has been collaboration
   between the two people. Advocacy gives the thumbs up to a person
   changing their status in Debian. Endorsing a key only connects the
   reputation of a person with that key.

For example, an endorsement statement could be something like:

    > While working on {<package>|<team>|…}, <person> has usually signed
    > their {mails|git commits|…} with the GPG key <this fingerprint>

While an advocacy message would be something like:

    > I have worked with <person> on {<package>|<team>|…} for <time> and
    > I believe they can be trusted to be a full member of Debian, and
    > have unsupervised, unrestricted upload rights, right now.

Currently the endorsements are integrated into the NM processes so that
the 10 most recent endorsements are displayed in the Keycheck
requirement of a process. A FrontDesk Member or DAM can review these and
determine whether or not they are sufficient to approve the KeyCheck. It
is likely that the exact implementation will change, based on the
experience we will have and the feedback we will receive.

Henceforth, by all means, if you see things that could or should be
improved, don't hesitate to reach out to us through either the BTS,
https://salsa.debian.org/nm-team/nm.debian.org issues page or via the
nm@debian.org email address!

We hope that this feature will serve its purpose efficiently.


For Debian Account Managers and Front Desk,

Enrico Zini
Pierre-Elliott Bécue

[0] https://lists.debian.org/debian-devel-announce/2020/09/msg00000.html
[1] example: https://nm.debian.org/person/enrico/
[2] example: https://nm.debian.org/fprs/person/enrico/1793D6AB75663E6BF104953A634F4BD1E7AD5568/endorsements/view/

GPG key: 4096R/634F4BD1E7AD5568 2009-05-08 Enrico Zini <enrico@enricozini.org>

Attachment: signature.asc
Description: PGP signature

Reply to: