[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Endorsing xiao sheng wen's key 740D7FE2AB3143E86C8FD12300186602339240CB

*shuffles around the desk looking for his keyring-maint hat*

*finds the hat and puts it on his head*


Sam Hartman dijo [Sun, Oct 03, 2021 at 11:00:30AM -0600]:
> It's very much about identity, but normally it's about identity in the
> sense of "I interacted with this person using this key for six months."
> I guess there's nothing wrong with an endorsement for a single
> interaction, but my understanding is that in deciding to approve key
> consistency checks, front desk is looking for a long history with a key,
> so a one-time endorsement is unlikely to hold much value on our side.

I completely agree with Sam here. We can easily check whether a given
upload was signed by a given key.

However, as you know, the main way to assert your identity towards
Debian for a long-term commitment is... your GPG key. Key endorsements
were invented because of the difficulty to many of getting real-life
interactions with other developers, specially since the COVID-19
outbreak (but also due to living in a developer-space geographic

We want endorsements to reflect you have had a real, meaningful
interaction WRT Debian with a {person,key} pair, helping assert that
said pair has held for a long enough time for Debian to grant
privileges to said person.

So... I would not be comfortable in accepting an identity assertion
based on a just-one-off endorsement.

Reply to: