Hey all, Over the past few weeks, after Joey Hess created the jetring keyring management tool from whole cloth [0], I've been poking at changing dak to support a "maintainers" keyring [1] so that we can make it possible for people who want to work on just one or two packages able to do exactly that. I think that's at a point that I'm happy with now, so ftpmaster now effectively has the ability to: a) add a third keyring for people allowed to upload to the archive, (in addition to debian-keyring.{gpg,pgp}) that contains keys for "maintainers" and is managed separately to the developer keyring b) restrict certain uploaders from sponsoring packages (ie, giving signing a .changes file that claims to be made by someone else) and from doing NMUs (ie, uploading a package that's maintained by someone else and that they're not listed as an Uploader for, or anything that needs NEW or BYHAND processing) My theory is that we should do something like this: 1) create a class of contributors called "debian maintainers" 2) have a group of people authorised to maintain the keyring for those people, using jetring 3) allow existing developers who're already involved in mentoring and the new-maintainer process to recommend people for inclusion in the maintainer keyring If people don't do a good job as a "maintainer" they should have their priveleges removed fairly promptly; and if a developers recommends people to be listed as maintainers who turn out to be a problem, or if a developer just doesn't stay around to help them out when the need arises, they should stop being allowed to recommend people. My thought for showing that you're "involved in mentoring" was something like "has sponsored 30 uploads in the last six months" or "has AMed at least ten applicants through to DD status" or similar, though I don't see any reason to make those rules too hard and fast. The idea is that not everyone who wants to be involved in Debian is (currently) able to do everything we expect of DDs, or (currently) wants to do anything more than maintain a couple of packages. At the moment people who fit that description need a sponsor to help them with every contribution they make, even if they've already been contributing for years. I think we can optimise that without losing quality at all, and leave our sponsors and mentors more time for carefully reviewing the packages that do need review. I'm happy to manage the keyring as a trial for a few months, though I'd prefer not to do it alone, or longterm. ATM I don't know of any non-developers whose work I'm familiar enough with to be comfortable recommending myself though, so I definitely can't do (3). In the long term, I think it would be sensible to have keyring-maint be a group looking after both this keyring and the developer keyring; and also to have the members of that team not be part of DSA or DAM to avoid concentration of powah. To get a vote, you'd still need to be approved as a DD by the DAM, and you wouldn't get a login on any d.o machines just by being a maintainer. Either of those could be changed if we decided we wanted to at some point, of course. Cheers, aj [0] http://lists.debian.org/debian-project/2007/02/msg00274.html [1] http://azure.humbug.org.au/~aj/blog/2006/04/12#2006-04-11-maintainers ...is my original blog post on the subject. Marc Brockshmitt posted about this to d-d-a last year too: http://lists.debian.org/debian-devel-announce/2006/04/msg00006.html (see the section "Separate upload permissions, system accounts and voting rights). Christoph Berg gave a talk on the topic at debconf6 as well, and the video of that is downloadable, see: http://meetings-archive.debian.net/pub/debian-meetings/2006/debconf6/
Attachment:
signature.asc
Description: Digital signature