[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Endorsing Gunnar Hjalmarsson's key F235A25E8A2A9718D7D8BDA36C79687A51F6608C

Le samedi 09 janvier 2021 à 15:46:57+0100, Gunnar Hjalmarsson a écrit :
> Dear Pierre-Elliott,
> Probably I should keep quiet, but it makes me truly sad to see how this
> conversation regarding my application has derailed into unfounded
> allegations, so I have to say something.
> On 2021-01-09 13:40, Pierre-Elliott Bécue wrote:
> > Le jeudi 07 janvier 2021 à 16:35:38+0000, Iain Lane a écrit :
> > > I wrote it by myself.
> > 
> > I express sincere doubts: Sebastien wrote the same thing the day before,
> No he did not. According to my mail copies as well as the archived MHonArc
> copies Iain submitted the first endorsement statement. Sebastien submitted
> his statement a fully hour later, and it was probably Sebastien who used
> Iain's wording as a template.

I realize indeed that Iain removed his former endorsement and posted a
new one which is, by consequence, more recent than Sebastien's one. My
bad. Anyway, this does not change the fact that both are almost

> > with the same formatting, with the same typo in the key fingerprint
> > chosen for the endorsement.
> Iain has corrected the key id typo, and Sebastien probably will do the same
> soon. If we leave the unfortunate key id mix-up aside, was it really
> improper by Sebastien to use Iain's wording as a template? Please note that
> they have very similar histories as regards interacting with me on Ubuntu
> and Debian matters.

Endorsement is the proof or work of a specific person with another
having used a key identified by a fingerprint as authentication manner.
What trust of such specific interactions between two persons do you get
in a blank copy of the same statement?

How much trust should I give to these statements if ten persons were to
use the same template? A hundred? To me, the more c/p, the less trust I
get, because I can't be certain if these copies were made for
efficiency's sake, due to laziness, or for any other reason.

> > > Here, for confirmation, is what you're asking for:
> > > 
> > > I have known Gunnar for years under the key
> > > 
> > >    0CFE 997B 7245 80A7 FA72  F8CF F0B1 10E7 5A69 2F32
> > 
> > I'm afraid Gunnar didn't take the habit of signing his mail and side
> > work, only his uploads of packages on Ubuntu repos.
> That's basically true. Coming from Ubuntu, with a slightly different model
> for building trust compared to Debian, I haven't signed much on the Debian
> side up to now. My uploads to mentors of proposed Debian uploads were of
> course signed, but those signatures are not kept if I understand it
> correctly.
> Yesterday I sent a private mail to Mattia Rizzolo about this same topic. I
> think that mail would fit well as additional input in this conversation, but
> I can't make it public without asking Mattia first.
> > We'll have to see if Keyring Maintainers would be okay with you > endorsing his new key relying on signed work he did in unbutu with
> > his older one.
> > 
> > Not sure of their answer.
> It's not fun to see my possibilities to become a Debian member being
> jeopardized by misconceptions and suspicions, so in any case please sort it
> out and hold the further conversation in a more civil manner.

No one is having any kind of fun here. I just have strong troubles
giving any credit to two identical texts of two different persons
stating almost the same thing (one just having mentioned ibus), and
which initially relied on the same typo, which tends to make thing at
least one person did not at all read what they copied/pasted.

As it is my job to determine whether or not a keycheck is fullfilled, I
express these doubts, despite it being potentially unpleasant. The
current situation also requires that Keyring Maintainers do feel
comfortable adding your new key to Debian uploading keyring while no one
has interacted with you using this key for any long enough period of

Endorsements are a way to replace GPG signatures by something we can
build trust upon. This is not something to be taken lightly, and the
current situation does not make me consider that that trust is granted.

This is far more true as you're applying to becoming a Debian Developer
with uploading rights without having become a Debian Maintainer first
which doesn't help to have built part of that trust already.


Pierre-Elliott Bécue
GPG: 9AE0 4D98 6400 E3B6 7528  F493 0D44 2664 1949 74E2
It's far easier to fight for one's principles than to live up to them.

Attachment: signature.asc
Description: PGP signature

Reply to: