Re: [nm-admin] Identification step in the current scheme (Re: Fear the new maintainer process)
On Wed, Aug 02, 2000 at 07:35:40PM +0000, Dale Scheetz wrote:
> On Wed, 2 Aug 2000, Matthew Vernon wrote:
>
> > Dale Scheetz writes:
> >
> > > It comes down to: Can you do "normal" things that may be required by the
> > > task at hand? Scanning a passport seems to be a reasonable skill to
> > > require of incoming members. Isn't it?
> >
> > No. Why should being a debian developer require you to be able to get
> > hold of a scanner?
>
> Why should we require them to have access to a computer?
>
> We don't require this. We do require them to be "competent" enough to be
> able to crate an image file from a document. Consider this a technical
> performance test. "Can the applicant provide a specific document in
> digital format, properly signed?"
This requirement that they provide an image is only for the new-maintainer
process. Debian, as a project, requires people to be competent enough to
sign things (generally packages).
> This just doesn't seem to be the onerous task that several have made it
> out to be. It's just another requirement for becoming a member. Why not
Why do you continue to confuse the issue by bringing in the onerous task
furphy? It is all about trust.
To wit:
Applicant A Applicant B
- has public key - has public key, signed by Wichert*
- has image signed by - has no image file
own public key
The current procedure says that Applicant A has fullfilled the identity
requirements. Applicant B has not.
[*] I use Wichert as an example because there are (at least) two applicants
in the queue for fit this criteria. But the public key could be signed
by any existing Debian developer.
Extrapolations:
1. the new-maintainer process does not trust existing developers;
having your key signed by an existing developer counts for nothing
2. applicants should not bother to get an existing maintainer to
sign their key -- there is no benefit for the purposes of the
new-maintainer process
3. the debian `web of trust' breaks down (further) into a large set
of self-signed individuals but no path to or from large numbers of keys
Recommodation:
That applicants who fit into the case of Applicant B be deemed to have
completed the identification process.
End result:
1. (somewhat) Speedier processing for those applicants are able to
convince existing Debian Developers to sign their key.
2. More pressure on applicants to search out Debian developers in their
area and get to know them. Nothing beats knowing someone IRL.
3. More trusted pathways between developers, a stronger web of trust for
Debian.
> just obliterate all the requirements, and make signing up sufficient to
> membership? We did that at one time, why not now?
You know I know. But I bet large numbers of people don't. Would you like
to prepare a history of Debian's new-maintainer system and the
various requirements, when they were introduced and why that was done?
> If you can't answer the above questions, you simply haven't been paying
> attention to the particulars of the problem posed by new maintainers.
>
> We wish to restrict membership to those people who are open and capable of
> cooperating in a joint project like Debian. Try looking at this from
> Debian's point of view instead of the poor abused applicant.
I have been. It is in the projects interest and in the interest of applicants
to make this change.
For whatever reason, no matter what language I use, you don't seem to grasp
how fundamentally important it is that we trust our existing developers.
Anand
Reply to: