1. Forum
  2. Usenet
  3. LINUX.DEBIAN.ANNOUNCE.DEV

  • [nm.debian.org] Key endorsements are live

    From Enrico Zini@21:1/5 to All on Sun Nov 8 22:00:02 2020
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256

    Hello,

    As it was announced on a previous message[0], we have now implemented
    Key Endorsements on nm.debian.org, for people in the process to become
    either Debian Maintainers or Debian Developers.

    The principle is to give Debian Developers a way to tell that they've
    worked with a given person, and that enough of that work was signed by a
    given GPG key, that the person controlling that key was definitely the
    person doing that work.

    When logged into nm.debian.org and visiting a person's page[1], every
    Debian Project Member will see a new button just on the right of the GPG fingerprint, allowing to see the person's endorsements on their
    currently active fingerprint[2], and to submit one. An endorsement is a GPG-signed statement giving some context about what work you did with
    that person with that specific key.

    The endorsements are a long-needed step forward in the way we build
    trust on people and their keys. It was made urgent by the travel and
    meeting restrictions caused by the recent COVID-19 pandemic, which
    amplified an issue we've always had when prospective Developers had difficulties in meeting existing Developers to enter Debian's web of
    trust. Endorsements are complementary with signatures. A signed key will
    be valid without endorsements, and a sufficiently endorsed key will be
    seen as valid even without signatures. A key with one signature and some endorsements will also be seen as valid.

    What endorsements are
    =====================

    * A way to witness the use of a given key while working with a given
    person. We don't want to set specific rules about what is worth of an
    endorsement, but we consider that some short details about he kind of
    work and the kind of key usage should be visible and reported in the
    endorsement.
    * Decaying over time: we'll see very old endorsements as less reliable
    than recent ones. If you've worked with someone and endorsed them a
    long time ago, but still worked with them between then and now, it
    could make sense to re-endorse them.

    What endorsements are not
    =========================

    * Substitutes to Key signatures. They are not intended to connect
    identities with a key, only to connect work reputation with a key. We
    still encourage people meeting face to face to sign each other's key,
    whenever it is or will be possible. Note that signed keys won't
    require endorsements. Both methods are complementary.
    * Advocacies: advocacies are about witnessing that a person is
    experienced and responsible enough to have a given status in Debian.
    Key endorsements are about witnessing having worked with a given
    person using a given key. In both cases there has been collaboration
    between the two people. Advocacy gives the thumbs up to a person
    changing their status in Debian. Endorsing a key only connects the
    reputation of a person with that key.

    For example, an endorsement statement could be something like:

    > While working on {<package>|<team>|…}, <person> has usually signed
    > their {mails|git commits|…} with the GPG key <this fingerprint>

    While an advocacy message would be something like:

    > I have worked with <person> on {<package>|<team>|…} for <time> and
    > I believe they can be trusted to be a full member of Debian, and
    > have unsupervised, unrestricted upload rights, right now.

    Currently the endorsements are integrated into the NM processes so that
    the 10 most recent endorsements are displayed in the Keycheck
    requirement of a process. A FrontDesk Member or DAM can review these and determine whether or not they are sufficient to approve the KeyCheck. It
    is likely that the exact implementation will change, based on the
    experience we will have and the feedback we will receive.

    Henceforth, by all means, if you see things that could or should be
    improved, don't hesitate to reach out to us through either the BTS, https://salsa.debian.org/nm-team/nm.debian.org issues page or via the nm@debian.org email address!

    We hope that this feature will serve its purpose efficiently.

    Bests,

    For Debian Account Managers and Front Desk,

    Enrico Zini
    Pierre-Elliott Bécue

    [0] https://lists.debian.org/debian-devel-announce/2020/09/msg00000.html
    [1] example: https://nm.debian.org/person/enrico/
    [2] example: https://nm.debian.org/fprs/person/enrico/1793D6AB75663E6BF104953A634F4BD1E7AD5568/endorsements/view/
    -----BEGIN PGP SIGNATURE-----

    iQJKBAEBCAA0FiEEV3MSJKl2LqFVqypTDKjRW7JNlvIFAl+oWiYWHGRhLW1hbmFn ZXJAZGViaWFuLm9yZwAKCRAMqNFbsk2W8uudEACsuT5fxI3IJrzhn5buLGfoS+D2 sGApvLtPJ8KuuAXWGn0OAcUGTMlO0ZZl82kB9PYQo8+xL6rvEGyOr9MGBYuVjlyH ptUcwnknKl5zjBz7NRXRjSfeV0bq/sBhbgc5lM4RkGAjBCcJCEnvfXDJU/53addr hQXksocqOUfH28BBqTFvhpPuQwCnF89vufjdYIF9iaPmwlGaZ+sifRhWJdrdCZHl 1h4I7IxKUm5Kr/QkKuz2RiQv7HFhmkZTTFtROXDGmu2P0M0rX9i2277fmn7srUSS MQQCxT4yjdV6Miym3nfUL1bzrfNAL046vjNTkcs8nmzk4zC6AUW7VXCKczpmBwl5 YcZm5EP8XmP6MIRHq3if2Qqv2905vkytcLPg8JalmJ5yiJp+nn+O6yHR5YqwArn2 31eUJy8lcnaMByRha8wb8kUheKZezMBzWCJPKwPk6saDCnPQCUXTg4EIKnfZMXuO LgTmKqTVgmZR4Gonb3ZsycsMR2ZhS9CWawJv5I3zvCTdbdhhJyENqA11S5GLZNPp +6UfTK9hlSw1evZ/lPkesKYgqKHBSFEuD+TV9I4gH7HwvX4pwhWZM4DHRvTDA3Rk 6kDu+hSrNoJSve9No1nythhm1mQrimKJ5R4RgBIaXNUK2ZvxkMsgD+ExB/2MwT5h MpH+KAv29eJwQnONzg==
    =E2To
    -----END PGP SIGNATURE-----
    --
    GPG key: 4096R/634F4BD1E7AD5568 2009-05-08 Enrico Zini <enrico@enricozini.org>

    -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCAAdFiEEhmBP21FPcUU+TNNNhMw1v3gTTX4FAl+oWjkACgkQhMw1v3gT TX4zqBAAqVmPAH/l9S5fuktISIsf7GnIizieYMJAhAUlKllPxGG0n0BexpQ3B7KU tFsFK0heHjrUOITrY5IcWCIzaJ3TE1U5C/K6aZRLsQwGWu/I1cuGTn/GERzsnq0G WnUYZmwuo5oGWxfCGoPTKVFnUJW0pXhO0xPSzzGSYeLPO0XUtGcUodO+HhkFs062 Tzw6Phi2bSgfVq/O6uD9PaBBV9XPUsxXoRhxd8kRYYB2jscA9PCPOMoxAfEZewfn Z+dJ76WIU+t8R2lK2d2i1NWHBJHRSCQpyI9SgE49Cq2OMqfSqkmWU83s3D01Okmu rDG0UG+UHbQzkHPNyRIaNRYoTqbmJyY0EFIz8J0dmY/RI7l6sSTh2Ro9KLVQTmCI 9YC/0uB3+u/njz7FV/NYuPh47o0wZMVIZT1mqz9skttr6hwPfej8QbesWbi+sPIh fjMmxAlq5w4OtbJq6nCT35hBqJOrmuOJXDyZfQ0N1qhI1zfzDEbZx+5zIPT7jjzH 3ILrWeFArHn/+flcZE7Cy2IpxbuNtZluzNgcoohuj9aRCOdH7zeszltqMPX8aH/E ymqHjlmuQdjrcF3fBipDHbE6xX3n9G8jFAk7whO7tjqngnRW7k/8isltWQmtIoOn /rhkwquBxXbrBKevIFj68oYOCT+gMXKx8DzA76S9gLyczfLv2W4=
    =K2sS
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)