Hey all,
Over the past few weeks, after Joey Hess created the jetring keyring
management tool from whole cloth [0], I've been poking at changing dak
to support a "maintainers" keyring [1] so that we can make it possible for
people who want to work on just one or two packages able to do exactly
that. I think that's at a point that I'm happy with now, so ftpmaster
now effectively has the ability to:
a) add a third keyring for people allowed to upload to the archive,
(in addition to debian-keyring.{gpg,pgp}) that contains keys for
"maintainers" and is managed separately to the developer keyring
b) restrict certain uploaders from sponsoring packages
(ie, giving signing a .changes file that claims to be made by
someone else) and from doing NMUs (ie, uploading a package that's
maintained by someone else and that they're not listed as an
Uploader for, or anything that needs NEW or BYHAND processing)
My theory is that we should do something like this:
1) create a class of contributors called "debian maintainers"
2) have a group of people authorised to maintain the keyring for
those people, using jetring
3) allow existing developers who're already involved in mentoring
and the new-maintainer process to recommend people for inclusion
in the maintainer keyring
If people don't do a good job as a "maintainer" they should have their
priveleges removed fairly promptly; and if a developers recommends
people to be listed as maintainers who turn out to be a problem, or if a
developer just doesn't stay around to help them out when the need arises,
they should stop being allowed to recommend people.
My thought for showing that you're "involved in mentoring" was something
like "has sponsored 30 uploads in the last six months" or "has AMed at
least ten applicants through to DD status" or similar, though I don't
see any reason to make those rules too hard and fast.
The idea is that not everyone who wants to be involved in Debian is
(currently) able to do everything we expect of DDs, or (currently)
wants to do anything more than maintain a couple of packages. At the
moment people who fit that description need a sponsor to help them with
every contribution they make, even if they've already been contributing
for years. I think we can optimise that without losing quality at all,
and leave our sponsors and mentors more time for carefully reviewing
the packages that do need review.
I'm happy to manage the keyring as a trial for a few months, though
I'd prefer not to do it alone, or longterm. ATM I don't know of any
non-developers whose work I'm familiar enough with to be comfortable
recommending myself though, so I definitely can't do (3).
In the long term, I think it would be sensible to have keyring-maint
be a group looking after both this keyring and the developer keyring;
and also to have the members of that team not be part of DSA or DAM to
avoid concentration of powah.
To get a vote, you'd still need to be approved as a DD by the DAM, and
you wouldn't get a login on any d.o machines just by being a maintainer.
Either of those could be changed if we decided we wanted to at some point,
of course.
Cheers,
aj
[0] http://lists.debian.org/debian-project/2007/02/msg00274.html
[1] http://azure.humbug.org.au/~aj/blog/2006/04/12#2006-04-11-maintainers
...is my original blog post on the subject. Marc Brockshmitt posted
about this to d-d-a last year too:
http://lists.debian.org/debian-devel-announce/2006/04/msg00006.html
(see the section "Separate upload permissions, system accounts and
voting rights). Christoph Berg gave a talk on the topic at debconf6
as well, and the video of that is downloadable, see:
http://meetings-archive.debian.net/pub/debian-meetings/2006/debconf6/
Attachment:
signature.asc
Description: Digital signature