[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Endorsing Gunnar Hjalmarsson's key F235A25E8A2A9718D7D8BDA36C79687A51F6608C

Le dimanche 10 janvier 2021 à 01:10:34+0100, Gunnar Hjalmarsson a écrit :
> > > If we leave the unfortunate key id mix-up aside, was it really
> > > improper by Sebastien to use Iain's wording as a template? Please note that
> > > they have very similar histories as regards interacting with me on Ubuntu
> > > and Debian matters.
> > 
> > Endorsement is the proof or work of a specific person with another
> > having used a key identified by a fingerprint as authentication manner.
> > What trust of such specific interactions between two persons do you get
> > in a blank copy of the same statement?
> Personally I found it natural when I saw it, given the content and the fact
> that my interaction with Sebastien and Iain has been very similar over the
> years. But it's of course up to you and your colleagues - not me - to decide
> what is satisfactory.

But their personalities are not the same, and if these statements were
not public, I suppose that both texts would be quite different, but I
may be wrong.

> > No one is having any kind of fun here. I just have strong troubles
> > giving any credit to two identical texts of two different persons
> > stating almost the same thing (one just having mentioned ibus), and
> > which initially relied on the same typo, which tends to make thing at
> > least one person did not at all read what they copied/pasted.
> > 
> > As it is my job to determine whether or not a keycheck is fullfilled, I
> > express these doubts, despite it being potentially unpleasant.
> Let me say that I respect the latter and also understand the reasons why you
> raised doubts.
> Key endorsements for this purpose was launched recently, and I take it that
> there is no established practice yet on how to formulate such statements. If
> I had been in your position, I would probably have pointed out the key id
> typo. Maybe asked for clarifications, maybe provided some hints on how to
> better express how the key(s) can be linked to my work. Less judgemental.
> Assuming good intentions. At least I hope that I would have acted along
> those lines.

Well, if the two statements did not contain the same typo, I'd probably
have been nicer in the way I said it, but in the current case, it made
me believe that at least one person did not write and review their
endorsement which made me wonder how serious the key endorsement thing
was taken compared to the classic key signing part.

Having spent quite some time bringing this solution alive to try solving
the key signing issue raised by the COVID outbreak, I consider it as
something important to not weaken our way of trusting keys and people
using these.

Apart from that, I have the feeling that here you mixed up me raising
doubts with me using inappropriate phrasing to state my doubts, which
may occur as English is not my native language. While I can feel and be
sorry for the latter, I do not about the former.

> On 2021-01-09 18:39, Jonathan McDowell wrote:
> > On Sat, Jan 09, 2021 at 01:40:00PM +0100, Pierre-Elliott Bécue wrote:
> > > Le jeudi 07 janvier 2021 à 16:35:38+0000, Iain Lane a écrit :
> > > > I have known Gunnar for years under the key
> > > > 
> > > >   0CFE 997B 7245 80A7 FA72  F8CF F0B1 10E7 5A69 2F32
> > > 
> > > I'm afraid Gunnar didn't take the habit of signing his mail and side
> > > work, only his uploads of packages on Ubuntu repos. We'll have to
> > > see if Keyring Maintainers would be okay with you endorsing his new
> > > key relying on signed work he did in unbutu with his older one.
> > > 
> > > Not sure of their answer.
> > 
> > In general I'm not a fan of key changes as part of AM processes; it is
> > much better to continue with an established key if there is no pressing
> > reason to change. A well known 2048R key trumps a new 4096R with no
> > cross signatures.
> Thanks for that clarification, Jonathan! I created the new key solely
> because I thought it would strengthen my case with respect to endorsing. And
> now you say that the opposite is true.
> Needless to say I can switch back to my old key and attach that one to my
> application instead. If that's what you recommend, can you please confirm
> and I'll accomplish the switch.

Is your 2048R key signed by DDs? Otherwise you'll need to get some
endorsements for that key.

To switch, make it active in your nm profile, resubmit your intent,
SC/DMUP statements and I'll remove the ones you signed with your new

> @Pierre-Elliott: That sounds as a 'door opener' to me and it would eliminate
> at least one of the reasons for your doubts, wouldn't it?

My sole preoccupation here is not to weaken our web of trust, so if
your current 2048R key is signed by some DD or endorsable in a strong
way by people, I'll happily approve your keycheck requirement.


Pierre-Elliott Bécue
GPG: 9AE0 4D98 6400 E3B6 7528  F493 0D44 2664 1949 74E2
It's far easier to fight for one's principles than to live up to them.

Attachment: signature.asc
Description: PGP signature

Reply to: