Hi again, Replying below to both Pierre-Elliott and Jonathan. On 2021-01-09 17:25, Pierre-Elliott Bécue wrote:
Le samedi 09 janvier 2021 à 15:46:57+0100, Gunnar Hjalmarsson a écrit :Le jeudi 07 janvier 2021 à 16:35:38+0000, Iain Lane a écrit :I wrote it by myself.I express sincere doubts: Sebastien wrote the same thing the day before,No he did not. According to my mail copies as well as the archived MHonArc copies Iain submitted the first endorsement statement. Sebastien submitted his statement a fully hour later, and it was probably Sebastien who used Iain's wording as a template.I realize indeed that Iain removed his former endorsement and posted a new one which is, by consequence, more recent than Sebastien's one. My bad.
Hey, to me that sounds as an apology to Iain. Great! :) Your direct questioning of Iain's word was the straw that broke the camel's back for me, and it triggered me to join the discussion. Let's see if Iain and Sebastien can come up with something similar, and with that help making the tone here a bit less ... tense.
If we leave the unfortunate key id mix-up aside, was it really improper by Sebastien to use Iain's wording as a template? Please note that they have very similar histories as regards interacting with me on Ubuntu and Debian matters.Endorsement is the proof or work of a specific person with another having used a key identified by a fingerprint as authentication manner. What trust of such specific interactions between two persons do you get in a blank copy of the same statement?
Personally I found it natural when I saw it, given the content and the fact that my interaction with Sebastien and Iain has been very similar over the years. But it's of course up to you and your colleagues - not me - to decide what is satisfactory.
No one is having any kind of fun here. I just have strong troubles giving any credit to two identical texts of two different persons stating almost the same thing (one just having mentioned ibus), and which initially relied on the same typo, which tends to make thing at least one person did not at all read what they copied/pasted. As it is my job to determine whether or not a keycheck is fullfilled, I express these doubts, despite it being potentially unpleasant.
Let me say that I respect the latter and also understand the reasons why you raised doubts.
Key endorsements for this purpose was launched recently, and I take it that there is no established practice yet on how to formulate such statements. If I had been in your position, I would probably have pointed out the key id typo. Maybe asked for clarifications, maybe provided some hints on how to better express how the key(s) can be linked to my work. Less judgemental. Assuming good intentions. At least I hope that I would have acted along those lines.
On 2021-01-09 18:39, Jonathan McDowell wrote:
On Sat, Jan 09, 2021 at 01:40:00PM +0100, Pierre-Elliott Bécue wrote:Le jeudi 07 janvier 2021 à 16:35:38+0000, Iain Lane a écrit :I have known Gunnar for years under the key 0CFE 997B 7245 80A7 FA72 F8CF F0B1 10E7 5A69 2F32I'm afraid Gunnar didn't take the habit of signing his mail and side work, only his uploads of packages on Ubuntu repos. We'll have to see if Keyring Maintainers would be okay with you endorsing his new key relying on signed work he did in unbutu with his older one. Not sure of their answer.In general I'm not a fan of key changes as part of AM processes; it is much better to continue with an established key if there is no pressing reason to change. A well known 2048R key trumps a new 4096R with no cross signatures.
Thanks for that clarification, Jonathan! I created the new key solely because I thought it would strengthen my case with respect to endorsing. And now you say that the opposite is true.
Needless to say I can switch back to my old key and attach that one to my application instead. If that's what you recommend, can you please confirm and I'll accomplish the switch.
@Pierre-Elliott: That sounds as a 'door opener' to me and it would eliminate at least one of the reasons for your doubts, wouldn't it?
Regards, Gunnar Hjalmarsson
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature