On Fri, Apr 17, 2015 at 10:00:56AM +0100, Jonathan McDowell wrote: > > As far as I know relying on the keyring and ldap has always been > > incorrect. The number was always off by a few. > > I've never quite understood why LDAP isn't accurate, but I couldn't > figure out a simple query and even > '(&(gidNumber=800)(!(shadowExpire=1))(objeass=debianDeveloper))' > gives 988 entries of which some are incorrect. [...] > The astute will notice that this leaves 981 keys, whereas I counted 983 > keys in the keyrings. It turns out there are 2 DDs who have removed 1024 > bit keys but who have locked LDAP accounts (issue with SSH key on one, > "DSA locked" on the other as comments). > > Anyway. The 2 things to take away are a) yes, it's depressingly hard to > work out how many voting members Debian has and b) the answer is 986 at > present. Indeed. We have multiple user databases, each with its own sets of corner cases. We cannot currently univocally identify a person by account name (DMs and Debian Contributors do not have one), by alioth account name (a person can have many), by GPG key (a DD can have none, in case they just revoked a stolen one), by full name (hi Brian Nelson(s) and Luca Bruno(s)), by email (it changes). LDAP login can be disabled when one becomes emeritus or temporarily after a case of abuse. DSA can create guest accounts. In nm.debian.org's nightly maintenance I run a lot of code that computes differences between these data sources, so we have the capability of tracking things, and the possibility of manually tweaking nm.debian.org to really fit the bill. But since we have also a need for manual tweaks, it gets out of date. > > It's was my understanding that DAM says that nm.debian.org is > > authoritative. > That is the eventual goal but at present various pieces of information > are manually updated. Enrico and keyring-maint have been working on > making it easier for nm.d.o to track keyring changes but there's still > more to be done before this is complete. There's a vague plan to get > this done during DebConf if not before. And indeed that'd be the way forward as I see it: reduce the need for manual intervention as much as possible, so that routine takes care of itself, and manual intervention is only needed for corner cases, which are hopefully few and far apart in time. Enrico -- GPG key: 4096R/E7AD5568 2009-05-08 Enrico Zini <enrico@enricozini.org>
Attachment:
signature.asc
Description: Digital signature