[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Endorsing Gunnar Hjalmarsson's key F235A25E8A2A9718D7D8BDA36C79687A51F6608C

Hi again,

Replying below to both Pierre-Elliott and Jonathan.

On 2021-01-09 17:25, Pierre-Elliott Bécue wrote:
Le samedi 09 janvier 2021 à 15:46:57+0100, Gunnar Hjalmarsson a écrit :
Le jeudi 07 janvier 2021 à 16:35:38+0000, Iain Lane a écrit :
I wrote it by myself.

I express sincere doubts: Sebastien wrote the same thing the day before,

No he did not. According to my mail copies as well as the archived MHonArc
copies Iain submitted the first endorsement statement. Sebastien submitted
his statement a fully hour later, and it was probably Sebastien who used
Iain's wording as a template.

I realize indeed that Iain removed his former endorsement and posted a
new one which is, by consequence, more recent than Sebastien's one. My

Hey, to me that sounds as an apology to Iain. Great! :) Your direct questioning of Iain's word was the straw that broke the camel's back for me, and it triggered me to join the discussion. Let's see if Iain and Sebastien can come up with something similar, and with that help making the tone here a bit less ... tense.

If we leave the unfortunate key id mix-up aside, was it really
improper by Sebastien to use Iain's wording as a template? Please note that
they have very similar histories as regards interacting with me on Ubuntu
and Debian matters.

Endorsement is the proof or work of a specific person with another
having used a key identified by a fingerprint as authentication manner.
What trust of such specific interactions between two persons do you get
in a blank copy of the same statement?

Personally I found it natural when I saw it, given the content and the fact that my interaction with Sebastien and Iain has been very similar over the years. But it's of course up to you and your colleagues - not me - to decide what is satisfactory.

No one is having any kind of fun here. I just have strong troubles
giving any credit to two identical texts of two different persons
stating almost the same thing (one just having mentioned ibus), and
which initially relied on the same typo, which tends to make thing at
least one person did not at all read what they copied/pasted.

As it is my job to determine whether or not a keycheck is fullfilled, I
express these doubts, despite it being potentially unpleasant.

Let me say that I respect the latter and also understand the reasons why you raised doubts.

Key endorsements for this purpose was launched recently, and I take it that there is no established practice yet on how to formulate such statements. If I had been in your position, I would probably have pointed out the key id typo. Maybe asked for clarifications, maybe provided some hints on how to better express how the key(s) can be linked to my work. Less judgemental. Assuming good intentions. At least I hope that I would have acted along those lines.

On 2021-01-09 18:39, Jonathan McDowell wrote:
On Sat, Jan 09, 2021 at 01:40:00PM +0100, Pierre-Elliott Bécue wrote:
Le jeudi 07 janvier 2021 à 16:35:38+0000, Iain Lane a écrit :
I have known Gunnar for years under the key

  0CFE 997B 7245 80A7 FA72  F8CF F0B1 10E7 5A69 2F32

I'm afraid Gunnar didn't take the habit of signing his mail and side
work, only his uploads of packages on Ubuntu repos. We'll have to
see if Keyring Maintainers would be okay with you endorsing his new
key relying on signed work he did in unbutu with his older one.

Not sure of their answer.

In general I'm not a fan of key changes as part of AM processes; it is
much better to continue with an established key if there is no pressing
reason to change. A well known 2048R key trumps a new 4096R with no
cross signatures.

Thanks for that clarification, Jonathan! I created the new key solely because I thought it would strengthen my case with respect to endorsing. And now you say that the opposite is true.

Needless to say I can switch back to my old key and attach that one to my application instead. If that's what you recommend, can you please confirm and I'll accomplish the switch.

@Pierre-Elliott: That sounds as a 'door opener' to me and it would eliminate at least one of the reasons for your doubts, wouldn't it?


Gunnar Hjalmarsson

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

Reply to: