Hi
as Kai just asked me to make it public:
I did reject his NM application on 21 Jan 2008, 21:17 UTC.
Summary:
- He is rejected, its a weak rejection.
- He can reapply to NM, after at least 6 months have passed
- I haven't said anything about DM, so in case he finds advocates
and there aren't multiple DDs issuing a veto on his DM application he
can get DM status.
- There is currently a discussion phase in the NM committee, and as its
a weak rejection the committee may decide to override my rejection.
Usually that phase ends after about a week, where FD goes and deletes
the NM entry for the rejected applicant.
Quoting relevant parts from the rejection "howto" mail:
Applicants can put forward arguments against their rejection and
they can also ask Debian developers to write references for them and
these will be taken into account during the discussion of the NM
committee.
During the NM committee discussion, a member can only vote to override
the DAM's decision if he has arguments for this.
Committee members are AMs that are active (ie. haven't retired) and
that approved an applicant in the last six months.
Weak rejections are for applicants I'm unconvinced should become a
developer. The NM committee can override my decision if 1/4 of the
committee decides that the applicant should be approved.
My rejection mail:
--8<------------------------schnipp------------------------->8---
I'm now rejecting Kai Hendry according to the Guidelines
at [1], this is a weak rejection. Sorry for the delay in doing this, but
writing a rejection isn't an easy task and takes lots of time.
Reason:
First a bit of history: Kai had multiple AMs during his process. He
went, at least, from Marc 'HE' Brockschmidt to Moray Allan and then
Moritz Muehlenhoff, who finished the process with him. Marc and Kai had
"agreed to disagree", up to the level where Marc as the AM did want to
reject him. Frontdesk reassigned to Moray and later to Moritz.
Now, there are multiple points that made me decide to reject Kai for
now. One goes back to 2004, where it escalated all the way up to me as
DAM, reaching me in early Februar 2005. The relevant blog entry from Kai
is at [2], my reply to his mail is in [3], basically I asked
for a new key. When Kai got reassigned from Marc to Moray, Moray went
and asked him about his key.
Moray:
--8<------------------------schnipp------------------------->8---
On Thu, 2005-02-03 at 16:53 +0200, Kai Hendry wrote:
> I do not have a laptop or a PC, which I think are needed to fulfil your
> conditions.
> My machine is in Finland, hosted by Teemu. It's all I have. I usually
> work through a putty connection from abroad.
Sorry, I don't follow this -- how have you been signing your messages?
(I can't see how you can have had secure access to your key in Finland.)
--8<------------------------schnapp------------------------->8---
The following two mails are from Kai to Moray. Moray had a mail in
between, but the relevant part is quoted from Kai, so I left that out.
--8<------------------------schnipp------------------------->8---
On Sat, Feb 12, 2005 at 08:49:52PM +0000, Moray Allan wrote:
> > My machine is in Finland, hosted by Teemu. It's all I have. I usually
> > work through a putty connection from abroad.
> Sorry, I don't follow this -- how have you been signing your messages?
> (I can't see how you can have had secure access to your key in Finland.)
Sorry, I did miss this question.
I sign my messages via ssh to my box.
Is "secure access to your key" defined somewhere? Or is it as subjective
as I think it is? My box is hosted with Teemu, a DD. Yes, he can root
it and have access to my key.
My previous AM says I must have a PC in that case. Since I am
travelling, a laptop. But I argue a laptop is less secure while
travelling. USB key stick is just as bad, if not worse.
About my access to my box. When I ssh I am careful. I know I shouldn't
take it personally, but I was almost insulted when you asked me if I
access my box from an infected machine.
Of course I try my very best to minimize this possibility (remember it
is always a possiblity), by using live CDs. AVG free edition is
otherwise used when this is not possible.
I hope we won't dwell on this subject too much. I know enough about
security to know that paranoia shouldn't stop me working.
--8<------------------------schnapp------------------------->8---
--8<------------------------schnipp------------------------->8---
On 2005-08-07T21:57+0100 Moray Allan wrote:
> You wrote on your blog:
> > This will be the first time I’ve actually owned a laptop. So I’ll
> > regenerate my GPG key and always carry it around with me, so I can
> > become a proper DD.
> What's the key ID for your new key? Is it signed by a DD?
64399BE2
http://keys.se.linux.org/pks/lookup?op=vindex&fingerprint=on&search=0x8917ABEA64399BE2
It is signed by Daniel Stone.
> > On second thought I hate that idea. I hate GPG. Those key signings are
> > BORING ffs. I wish uploads were done in some WIKI fashion. Whereby the
> > Debian community could just approve a diff or something. That’s a low
> > barrier to entry for contributions.
> Can you say what you mean here at greater length?
[DAM-ADDITION: Refers to the blog post [4] ]
GPG would still need to be used, but hopefully much less if we had some
sort of wiki interface.
Anyone could upload a diff upto say /wiki
The wiki would show the changes, much like Wikipedia
It would need say one or two DDs to approve the change and then it gets
uploaded.
People who have contributed a couple of patches can also approve patches
in the same way Slashdot awards moderation points.
--8<------------------------schnapp------------------------->8---
Also, JFTR, the key itself now fulfills the ID requirements in
NM. Earlier on it was "only" signed by an emeritus DD.
Now, leaving the "doesn't seem to understand how or why the Web of Trust
works for/within Debian"-feeling alone, looking at his contributions to
Debian and his NM process itself. A very short bit after Moritz, as the
third and final AM, send in his report, DAM got a mail from Moray,
content quoted in [5].
Also, Moritz decided to not ask questions again for the process, letting
Kai manage a transition instead (lesstif1 -> lesstif2). As far as I read
it went pretty well, but all together (the report with everything, the
various mails/pointers to IRC messages I got) it doesn't make me feel like
handing out the account yet, as I think there are things missing. A few
points from that are listed below:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=322116
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=359838
06-02-2007 (!) hendry is Kai Hendry on #debian-release at server xenon.oftc.net
06-02-2007 <hendry> http://packages.qa.debian.org/w/wordpress.html #
since there is no stable entry, can I assume there is no Wordpress in
etch?
06-02-2007 <suihkulokki> hendry: etch is testing
06-02-2007 <jvw> ... etch didn't release yet
06-02-2007 <hendry> i am wondering why there isn't a stable entry
06-02-2007 <hendry> ah, i know
04-04-2007 <hendry> how do I get wordpress 2.0.9 src from Testing Proposed Updates?
13-01-2008 <hendry> if i want to build an unstable package for etch, i
have the edit the debian/changelog manually and s/unstable/stable right?
i expect pdebuild to do this for me
Kai: This reject is private (only you, your AM and the nm-committee can
read it). We wont make it public - except you explicitly ask for that or
do it yourself.
Footnotes:
[1] http://lists.debian.org/debian-newmaint/2003/10/msg00001.html
[2] http://natalian.org/archives/2004/08/02/what-a-weekend/
[3] --8<------------------------schnipp------------------------->8---
First let me summarize what I know about this:
- You lost your private key (thats were cd backups help)
- You had a printout of an ascii version
- Scanned that in at a machine of a friend of a friend.
- Used some OCR Software on a system from $someone to get most of the
scan in text form.
- You and another one went through the whole file looking for errors in
that file.
Second:
I wouldnt ever put my secrect key on a machine I do not fully
control. In fact it isnt even on machines I do control but where others
have access to. So much for your "Where do we draw the line", now you
know where mine is.
For your key: No, it is not considered safe anymore. Please create a new
one, get it signed by at least one DD and use that for Debian. I would
also revoke the other one, but its up to you.
Your email address says helsinki.fi, so I assume India is only a
temporary thing for you. For how long will you stay there?
You know that in July there is the Debconf in Helsinki, where you can
meet a lot of DDs, getting sigs and stuff.
And Helsinki itself has other DDs there, so it shouldnt be a problem if
you get back.
--8<------------------------schnapp------------------------->8---
[4] http://natalian.org/archives/2006/05/26/no-gpg/
Read all, ie. comments too.
[5] --8<------------------------schnipp------------------------->8---
I see that the AM Moritz Muehlenhoff has now marked Kai Hendry as
approved in the db (though I haven't seen any public report). I was
reminded to check his status today after seeing this exchange on
#debian-devel:
<hendry> i have package here that has great copyright file in LICENSE
<hendry> if I read that into a Debianised copyright, then fine. but they
will be updating their LICENSE over time ...
<pusling> you of course have to check copyright and update the cpoyright
file on every upstream release
<hendry> pusling: that's painful
<hendry> :)
<pusling> else you get a serious bug filed against you.
Kai still seems to be showing the same worrying gaps in his
understanding of package maintenance that he demonstrated while I was
briefly his AM; it doesn't seem to me that he's ready to have
unsupervised upload rights in Debian.
--8<------------------------schnapp------------------------->8---
--8<------------------------schnapp------------------------->8---
--
bye Joerg
<liw> er, *not* what I meant, is what I meant
Attachment:
pgpWNZ0kgGR5U.pgp
Description: PGP signature