On Fri, Apr 17, 2015 at 10:00:56AM +0100, Jonathan McDowell wrote:

> > As far as I know relying on the keyring and ldap has always been
> > incorrect.  The number was always off by a few.
> 
> I've never quite understood why LDAP isn't accurate, but I couldn't
> figure out a simple query and even
> '(&(gidNumber=800)(!(shadowExpire=1))(objeass=debianDeveloper))'
> gives 988 entries of which some are incorrect.
[...]
> The astute will notice that this leaves 981 keys, whereas I counted 983
> keys in the keyrings. It turns out there are 2 DDs who have removed 1024
> bit keys but who have locked LDAP accounts (issue with SSH key on one,
> "DSA locked" on the other as comments).
> 
> Anyway. The 2 things to take away are a) yes, it's depressingly hard to
> work out how many voting members Debian has and b) the answer is 986 at
> present.

Indeed. We have multiple user databases, each with its own sets of
corner cases. We cannot currently univocally identify a person by
account name (DMs and Debian Contributors do not have one), by alioth
account name (a person can have many), by GPG key (a DD can have none,
in case they just revoked a stolen one), by full name (hi Brian
Nelson(s) and Luca Bruno(s)), by email (it changes). LDAP login can be
disabled when one becomes emeritus or temporarily after a case of abuse.
DSA can create guest accounts.

In nm.debian.org's nightly maintenance I run a lot of code that computes
differences between these data sources, so we have the capability of
tracking things, and the possibility of manually tweaking nm.debian.org
to really fit the bill. But since we have also a need for manual tweaks,
it gets out of date.

> > It's was my understanding that DAM says that nm.debian.org is
> > authoritative.
> That is the eventual goal but at present various pieces of information
> are manually updated. Enrico and keyring-maint have been working on
> making it easier for nm.d.o to track keyring changes but there's still
> more to be done before this is complete. There's a vague plan to get
> this done during DebConf if not before.

And indeed that'd be the way forward as I see it: reduce the need for
manual intervention as much as possible, so that routine takes care of
itself, and manual intervention is only needed for corner cases, which
are hopefully few and far apart in time.


Enrico

-- 
GPG key: 4096R/E7AD5568 2009-05-08 Enrico Zini <enr...@enricozini.org>

Attachment: signature.asc
Description: Digital signature

Reply via email to