On Thu, Apr 16, 2015 at 10:41:52PM +0100, Jonathan McDowell wrote:
> > I get the numbers from nm.debian.org, both at https://nm.debian.org/api
> > and https://nm.debian.org/public/findperson/
> Sadly this list is trivially proved inaccurate; the list for Debian
> Developer, Uploading includes "stew" who was moved to emeritus back in
> January:
> https://anonscm.debian.org/cgit/keyring/keyring.git/commit/?id=b768c0a3506631ddeacf4c80ba8f3be6995e8a8f
> and "finger stew@db.debian.org" correctly returns no active fingerprint
> for the user.
> Copying Enrico who can no doubt comment more about the expected accuracy
> of nm.debian.org; AIUI it's still a work in progress in terms of being
> entirely up to date all the time.
nm.debian.org is supposed to be the authoritative source, but Debian did
not grow with having a single membership database, so in practice it
needs to be kept manually in sync with changes coming from LDAP and the
keyrings.
Examples of membership related changes that can happen without
nm.debian.org knowing are DSA adding a guest account, keyring-maint
creating a DM (the current workflow skips FD entirely), keyring-maint
replacing a key, keyring-maint removing a compromised key.
Keeping it in sync manually is work, and I'm the only one who has been
doing it. I've recently fallen behind, because syncing DMs from keyring
changes is nontrivial[1] work and a lot new DMs piled up, and there is a
large amount of 1024->4096 key changes pending, too.
Now that keyring-maint has introduced machine-parsable and signed git
logs, the sync with keyring can be automated somehow. It's a Simple
Matter Of Programming, I already got started, but I'm the only one
writing code.
After that is done, we're left with the problem of DMs: the current
workflow skips nm.debian.org entirely, so the data sources for new DMs
are the keyring and RT, and none of them has information about alioth
account names, which would be needed for sso.debian.org to work, so new
DMs currently require extra manual intervention to be able to log into
sites like nm.d.o and contributors.d.o, or DebConf.
Also, if we want to be strict and have DAM really responsible and
authoritative for new accounts, some of the syncing from DSA and
keyrings need manual approval anyway, otherwise keyring-maint and DSA
people will be able to create/remove developers without DAM knowing.
I do not think that is a risk that we have at the moment, though, but
it's a thought.
There are ideas flying around. One is that DMs have a name in LDAP, or
that the workflow for DM starts by filling in a form on nm.debian.org,
which would simplify *a lot* of things, since most of the procedure
for becoming DMs is made of mechanical steps.
If we're not in a super hurry, we can make this all happen during
Debconf at the latest. Or during a DebCamp sprint: we can organise a
sprint about that, if there are other people interested in working on
it.
[1] nm.debian.org needs to have the first/middle/last name split that
LDAP has, so I need to work out that split from full names in key
UIDs, among other things, which is nontrivial:
http://www.kalzumeus.com/2010/06/17/falsehoods-programmers-believe-about-names/
Enrico
--
GPG key: 4096R/E7AD5568 2009-05-08 Enrico Zini <enrico@enricozini.org>
Attachment:
signature.asc
Description: Digital signature