[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Fear the new maintainer process

On Sun, Jul 30, 2000 at 02:22:09PM +0200, Wichert Akkerman wrote:
> Previously Anand Kumria wrote:
> > Applicants whose keys are signed by existing developers must still
> > submit a photographic ID of themselves.
> This is not true as far as I know.

Well two developers have already pointed out otherwise; plus this:

<URL: http://www.debian.org/devel/join/nm-step2>

It talks about an "eyeball" and "handshake" portion (whatever they are)

To satisfy the "handshake" portion you are supposed to provide a key
and an image signed with that key.

To satisfy the "eyeball" portion one means is to have your key signed by
a nother developer. This is, as far as know, how all the AMs have read and 
interupreted this.  In fact I don't recall anyone using clauses 2 or 3
to close the "eyeball" loop.

Jim and Dale are, as I understand things, new-maintainer@debian.org.

Jim, in Message-ID: <XFMail.20000720080255.jwest@netnw.com>, says:

"A gpg key signed by another developer, is just a signed key; it                 is not the same thing as a photo ID signed with that private                    key."

While he does later add "just my 2 cents", Dale has said similiar things
as well (I did a summary of them in March on the mailing list).

I think the identification step should be in two halves:

- An applicant must have a public key.

1. The key must be acceptable to GNU Privacy Guard (GnuPG) without
additional (non-free) modules
2. The key must be self-signed

If an applicants key is already signed by an existing Debian Developer, the
identification step is deemed complete. Continue with Step 3 and exit Step 2.

- An applicant should provide another means of identifying themselves

This applies if the applicants key is not already signed by an existing
Debian Developer. Some possible means are:

1. A signed image of themselves
2. A reference by someone known to both the applicant and the AM (e.g. Linus)
3. (potentially) A well known signatory on their public key (e.g. RMS)
4. Some other means acceptable to both the applicant and the AM.

I list 3 as a potential as this possibility does not currently exist
in closing the "eyeball" section.


Reply to: