On Thu, Apr 16, 2015 at 10:41:52PM +0100, Jonathan McDowell wrote: > > I get the numbers from nm.debian.org, both at https://nm.debian.org/api > > and https://nm.debian.org/public/findperson/ > Sadly this list is trivially proved inaccurate; the list for Debian > Developer, Uploading includes "stew" who was moved to emeritus back in > January: > https://anonscm.debian.org/cgit/keyring/keyring.git/commit/?id=b768c0a3506631ddeacf4c80ba8f3be6995e8a8f > and "finger stew@db.debian.org" correctly returns no active fingerprint > for the user. > Copying Enrico who can no doubt comment more about the expected accuracy > of nm.debian.org; AIUI it's still a work in progress in terms of being > entirely up to date all the time. nm.debian.org is supposed to be the authoritative source, but Debian did not grow with having a single membership database, so in practice it needs to be kept manually in sync with changes coming from LDAP and the keyrings. Examples of membership related changes that can happen without nm.debian.org knowing are DSA adding a guest account, keyring-maint creating a DM (the current workflow skips FD entirely), keyring-maint replacing a key, keyring-maint removing a compromised key. Keeping it in sync manually is work, and I'm the only one who has been doing it. I've recently fallen behind, because syncing DMs from keyring changes is nontrivial[1] work and a lot new DMs piled up, and there is a large amount of 1024->4096 key changes pending, too. Now that keyring-maint has introduced machine-parsable and signed git logs, the sync with keyring can be automated somehow. It's a Simple Matter Of Programming, I already got started, but I'm the only one writing code. After that is done, we're left with the problem of DMs: the current workflow skips nm.debian.org entirely, so the data sources for new DMs are the keyring and RT, and none of them has information about alioth account names, which would be needed for sso.debian.org to work, so new DMs currently require extra manual intervention to be able to log into sites like nm.d.o and contributors.d.o, or DebConf. Also, if we want to be strict and have DAM really responsible and authoritative for new accounts, some of the syncing from DSA and keyrings need manual approval anyway, otherwise keyring-maint and DSA people will be able to create/remove developers without DAM knowing. I do not think that is a risk that we have at the moment, though, but it's a thought. There are ideas flying around. One is that DMs have a name in LDAP, or that the workflow for DM starts by filling in a form on nm.debian.org, which would simplify *a lot* of things, since most of the procedure for becoming DMs is made of mechanical steps. If we're not in a super hurry, we can make this all happen during Debconf at the latest. Or during a DebCamp sprint: we can organise a sprint about that, if there are other people interested in working on it. [1] nm.debian.org needs to have the first/middle/last name split that LDAP has, so I need to work out that split from full names in key UIDs, among other things, which is nontrivial: http://www.kalzumeus.com/2010/06/17/falsehoods-programmers-believe-about-names/ Enrico -- GPG key: 4096R/E7AD5568 2009-05-08 Enrico Zini <enrico@enricozini.org>
Attachment:
signature.asc
Description: Digital signature