Le mardi 17 novembre 2020 à 13:19:49+0000, Wookey a écrit : > On 2020-11-17 13:20 +0100, Pierre-Elliott Bécue wrote: > > > > Ah, our first endorsement user! > > > > I've validated Francis' key checks yesterday. > > > > That being said, endorsements is, in our opinion, rather a way to tell > > that your digital interactions with Francis were with him using that key > > and not to tell "I signed his key" or "I know who he is", which would be > > redundant with signatures. > > Yeah. But when I looked originally the interface showed '0 DD sigs' on > the key even though I signed it some weeks/months ago. I guess the signed key > was not uploaded to wherever nm.debian.org checks against, so I > thought I'd try your fancy Endorsement UI. Thanks for trying it! I'm happy it worked. :p Keys are updated only when one clicks "update" button afaict, and in particular, the keyrs are fetched from keyserver.ubuntu.com and keyring.debian.org, so as it seems to be a round robin, some sigs may appear/disappear if both server don't have the same version of the public key. In the case of a DM, as their key is not in keyring.debian.org, it's not supposed to be an issue, here the key was just not updated I think. As far as I remember, any DD can click the update button in the keycheck requirement. > Then at some point yesterday the signed key was uploaded or you/the > system checked the sigs so this did indeed become superfluous. > > nm.debian.org has got way better since I last intereacted. Good > job. And the process appears to have dramatically sped up too. Looks > like DM-ship can all be done in a day or two, rather than months. Yes, we are trying to make things better, DAM's decision to have key endorsable instead of requiring signatures is a good step in that direction. Normally with that, someone having contributed enough should only take the time of an AM process if they apply for DD or short if applying for DM. > > I'll add some documentation on the submit endorsement page, but I hope > > this clarifies it a bit for you! > > Yeah it would help to clarify when to sign (and where the sigs need to > go to get recognised) vs. when to endorse. The answer is "both are complementary", as sigs are identity certification and endorsement, a relation between someone whose identity is not necessarily proven and a key they used for quite some time. I think documenting that on the site is a good idea anyway! Cheers, -- Pierre-Elliott Bécue GPG: 9AE0 4D98 6400 E3B6 7528 F493 0D44 2664 1949 74E2 It's far easier to fight for one's principles than to live up to them.
Attachment:
signature.asc
Description: PGP signature