Re: [nm.debian.org] Key endorsements are live
Le dimanche 08 novembre 2020 à 21:15:34+0000, Paul Sutton a écrit :
>
> On 08/11/2020 20:51, Enrico Zini wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA256
> >
> > Hello,
> >
> > As it was announced on a previous message[0], we have now implemented
> > Key Endorsements on nm.debian.org, for people in the process to become
> > either Debian Maintainers or Debian Developers.
> >
> > The principle is to give Debian Developers a way to tell that they've
> > worked with a given person, and that enough of that work was signed by a
> > given GPG key, that the person controlling that key was definitely the
> > person doing that work.
> >
> > When logged into nm.debian.org and visiting a person's page[1], every
> > Debian Project Member will see a new button just on the right of the GPG
> > fingerprint, allowing to see the person's endorsements on their
> > currently active fingerprint[2], and to submit one. An endorsement is a
> > GPG-signed statement giving some context about what work you did with
> > that person with that specific key.
> >
> > The endorsements are a long-needed step forward in the way we build
> > trust on people and their keys. It was made urgent by the travel and
> > meeting restrictions caused by the recent COVID-19 pandemic, which
> > amplified an issue we've always had when prospective Developers had
> > difficulties in meeting existing Developers to enter Debian's web of
> > trust. Endorsements are complementary with signatures. A signed key will
> > be valid without endorsements, and a sufficiently endorsed key will be
> > seen as valid even without signatures. A key with one signature and some
> > endorsements will also be seen as valid.
> >
> > What endorsements are
> > =====================
> >
> > * A way to witness the use of a given key while working with a given
> > person. We don't want to set specific rules about what is worth of an
> > endorsement, but we consider that some short details about he kind of
> > work and the kind of key usage should be visible and reported in the
> > endorsement.
> > * Decaying over time: we'll see very old endorsements as less reliable
> > than recent ones. If you've worked with someone and endorsed them a
> > long time ago, but still worked with them between then and now, it
> > could make sense to re-endorse them.
> >
> > What endorsements are not
> > =========================
> >
> > * Substitutes to Key signatures. They are not intended to connect
> > identities with a key, only to connect work reputation with a key. We
> > still encourage people meeting face to face to sign each other's key,
> > whenever it is or will be possible. Note that signed keys won't
> > require endorsements. Both methods are complementary.
> > * Advocacies: advocacies are about witnessing that a person is
> > experienced and responsible enough to have a given status in Debian.
> > Key endorsements are about witnessing having worked with a given
> > person using a given key. In both cases there has been collaboration
> > between the two people. Advocacy gives the thumbs up to a person
> > changing their status in Debian. Endorsing a key only connects the
> > reputation of a person with that key.
> >
> > For example, an endorsement statement could be something like:
> >
> > > While working on {<package>|<team>|…}, <person> has usually signed
> > > their {mails|git commits|…} with the GPG key <this fingerprint>
> >
> > While an advocacy message would be something like:
> >
> > > I have worked with <person> on {<package>|<team>|…} for <time> and
> > > I believe they can be trusted to be a full member of Debian, and
> > > have unsupervised, unrestricted upload rights, right now.
> >
> > Currently the endorsements are integrated into the NM processes so that
> > the 10 most recent endorsements are displayed in the Keycheck
> > requirement of a process. A FrontDesk Member or DAM can review these and
> > determine whether or not they are sufficient to approve the KeyCheck. It
> > is likely that the exact implementation will change, based on the
> > experience we will have and the feedback we will receive.
> >
> > Henceforth, by all means, if you see things that could or should be
> > improved, don't hesitate to reach out to us through either the BTS,
> > https://salsa.debian.org/nm-team/nm.debian.org issues page or via the
> > nm@debian.org email address!
> >
> > We hope that this feature will serve its purpose efficiently.
> >
> > Bests,
> >
> > For Debian Account Managers and Front Desk,
> >
> > Enrico Zini
> > Pierre-Elliott Bécue
> >
> > [0] https://lists.debian.org/debian-devel-announce/2020/09/msg00000.html
> > [1] example: https://nm.debian.org/person/enrico/
> > [2] example: https://nm.debian.org/fprs/person/enrico/1793D6AB75663E6BF104953A634F4BD1E7AD5568/endorsements/view/
> > -----BEGIN PGP SIGNATURE-----
> >
> > iQJKBAEBCAA0FiEEV3MSJKl2LqFVqypTDKjRW7JNlvIFAl+oWiYWHGRhLW1hbmFn
> > ZXJAZGViaWFuLm9yZwAKCRAMqNFbsk2W8uudEACsuT5fxI3IJrzhn5buLGfoS+D2
> > sGApvLtPJ8KuuAXWGn0OAcUGTMlO0ZZl82kB9PYQo8+xL6rvEGyOr9MGBYuVjlyH
> > ptUcwnknKl5zjBz7NRXRjSfeV0bq/sBhbgc5lM4RkGAjBCcJCEnvfXDJU/53addr
> > hQXksocqOUfH28BBqTFvhpPuQwCnF89vufjdYIF9iaPmwlGaZ+sifRhWJdrdCZHl
> > 1h4I7IxKUm5Kr/QkKuz2RiQv7HFhmkZTTFtROXDGmu2P0M0rX9i2277fmn7srUSS
> > MQQCxT4yjdV6Miym3nfUL1bzrfNAL046vjNTkcs8nmzk4zC6AUW7VXCKczpmBwl5
> > YcZm5EP8XmP6MIRHq3if2Qqv2905vkytcLPg8JalmJ5yiJp+nn+O6yHR5YqwArn2
> > 31eUJy8lcnaMByRha8wb8kUheKZezMBzWCJPKwPk6saDCnPQCUXTg4EIKnfZMXuO
> > LgTmKqTVgmZR4Gonb3ZsycsMR2ZhS9CWawJv5I3zvCTdbdhhJyENqA11S5GLZNPp
> > +6UfTK9hlSw1evZ/lPkesKYgqKHBSFEuD+TV9I4gH7HwvX4pwhWZM4DHRvTDA3Rk
> > 6kDu+hSrNoJSve9No1nythhm1mQrimKJ5R4RgBIaXNUK2ZvxkMsgD+ExB/2MwT5h
> > MpH+KAv29eJwQnONzg==
> > =E2To
> > -----END PGP SIGNATURE-----
> >
> Hi
>
> I just wondered if anyone would be able to create or help create a short
> course on this for Debian Academy please?
>
> Or maybe any input in to what could go in to this?
>
> Just an idea if it helps people get started
>
> Regards
Dear Paul,
What kind of information would you need us to write?
Cheers,
--
Pierre-Elliott Bécue
GPG: 9AE0 4D98 6400 E3B6 7528 F493 0D44 2664 1949 74E2
It's far easier to fight for one's principles than to live up to them.
Reply to: