Re: [nm.debian.org] Key endorsements are live
Le dimanche 08 novembre 2020 à 21:15:34+, Paul Sutton a écrit :
>
> On 08/11/2020 20:51, Enrico Zini wrote:
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA256
> >
> > Hello,
> >
> > As it was announced on a previous message[0], we have now implemented
> > Key Endorsements on nm.debian.org, for people in the process to become
> > either Debian Maintainers or Debian Developers.
> >
> > The principle is to give Debian Developers a way to tell that they've
> > worked with a given person, and that enough of that work was signed by a
> > given GPG key, that the person controlling that key was definitely the
> > person doing that work.
> >
> > When logged into nm.debian.org and visiting a person's page[1], every
> > Debian Project Member will see a new button just on the right of the GPG
> > fingerprint, allowing to see the person's endorsements on their
> > currently active fingerprint[2], and to submit one. An endorsement is a
> > GPG-signed statement giving some context about what work you did with
> > that person with that specific key.
> >
> > The endorsements are a long-needed step forward in the way we build
> > trust on people and their keys. It was made urgent by the travel and
> > meeting restrictions caused by the recent COVID-19 pandemic, which
> > amplified an issue we've always had when prospective Developers had
> > difficulties in meeting existing Developers to enter Debian's web of
> > trust. Endorsements are complementary with signatures. A signed key will
> > be valid without endorsements, and a sufficiently endorsed key will be
> > seen as valid even without signatures. A key with one signature and some
> > endorsements will also be seen as valid.
> >
> > What endorsements are
> > =
> >
> > * A way to witness the use of a given key while working with a given
> > person. We don't want to set specific rules about what is worth of an
> > endorsement, but we consider that some short details about he kind of
> > work and the kind of key usage should be visible and reported in the
> > endorsement.
> > * Decaying over time: we'll see very old endorsements as less reliable
> > than recent ones. If you've worked with someone and endorsed them a
> > long time ago, but still worked with them between then and now, it
> > could make sense to re-endorse them.
> >
> > What endorsements are not
> > =
> >
> > * Substitutes to Key signatures. They are not intended to connect
> > identities with a key, only to connect work reputation with a key. We
> > still encourage people meeting face to face to sign each other's key,
> > whenever it is or will be possible. Note that signed keys won't
> > require endorsements. Both methods are complementary.
> > * Advocacies: advocacies are about witnessing that a person is
> > experienced and responsible enough to have a given status in Debian.
> > Key endorsements are about witnessing having worked with a given
> > person using a given key. In both cases there has been collaboration
> > between the two people. Advocacy gives the thumbs up to a person
> > changing their status in Debian. Endorsing a key only connects the
> > reputation of a person with that key.
> >
> > For example, an endorsement statement could be something like:
> >
> > > While working on {||…}, has usually signed
> > > their {mails|git commits|…} with the GPG key
> >
> > While an advocacy message would be something like:
> >
> > > I have worked with on {||…} for and
> > > I believe they can be trusted to be a full member of Debian, and
> > > have unsupervised, unrestricted upload rights, right now.
> >
> > Currently the endorsements are integrated into the NM processes so that
> > the 10 most recent endorsements are displayed in the Keycheck
> > requirement of a process. A FrontDesk Member or DAM can review these and
> > determine whether or not they are sufficient to approve the KeyCheck. It
> > is likely that the exact implementation will change, based on the
> > experience we will have and the feedback we will receive.
> >
> > Henceforth, by all means, if you see things that could or should be
> > improved, don't hesitate to reach out to us through either the BTS,
> > https://salsa.debian.org/nm-team/nm.debian.org issues page or via the
> > n...@debian.org email address!
> >
> > We hope that this feature will serve its purpose efficiently.
> >
> > Bests,
> >
> > For Debian Account Managers and Front Desk,
> >
> > Enrico Zini
> > Pierre-Elliott Bécue
> >
> > [0] https://lists.debian.org/debian-devel-announce/2020/09/msg0.html
> > [1] example: https://nm.debian.org/person/enrico/
> > [2] example:
> > https://nm.debian.org/fprs/person/enrico/1793D6AB75663E6BF104953A634F4BD1E7AD5568/endorsements/view/
> > -BEGIN PGP SIGNATURE-
> >
> > iQJKBAEBCAA0FiEEV3MSJKl2LqFVqypTDKjRW7JNlvIFAl+oWiYWHGRhLW1hbmFn
> > ZXJAZGViaWFuL
Re: [nm.debian.org] Key endorsements are live
On 08/11/2020 20:51, Enrico Zini wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hello,
As it was announced on a previous message[0], we have now implemented
Key Endorsements on nm.debian.org, for people in the process to become
either Debian Maintainers or Debian Developers.
The principle is to give Debian Developers a way to tell that they've
worked with a given person, and that enough of that work was signed by a
given GPG key, that the person controlling that key was definitely the
person doing that work.
When logged into nm.debian.org and visiting a person's page[1], every
Debian Project Member will see a new button just on the right of the GPG
fingerprint, allowing to see the person's endorsements on their
currently active fingerprint[2], and to submit one. An endorsement is a
GPG-signed statement giving some context about what work you did with
that person with that specific key.
The endorsements are a long-needed step forward in the way we build
trust on people and their keys. It was made urgent by the travel and
meeting restrictions caused by the recent COVID-19 pandemic, which
amplified an issue we've always had when prospective Developers had
difficulties in meeting existing Developers to enter Debian's web of
trust. Endorsements are complementary with signatures. A signed key will
be valid without endorsements, and a sufficiently endorsed key will be
seen as valid even without signatures. A key with one signature and some
endorsements will also be seen as valid.
What endorsements are
=
* A way to witness the use of a given key while working with a given
person. We don't want to set specific rules about what is worth of an
endorsement, but we consider that some short details about he kind of
work and the kind of key usage should be visible and reported in the
endorsement.
* Decaying over time: we'll see very old endorsements as less reliable
than recent ones. If you've worked with someone and endorsed them a
long time ago, but still worked with them between then and now, it
could make sense to re-endorse them.
What endorsements are not
=
* Substitutes to Key signatures. They are not intended to connect
identities with a key, only to connect work reputation with a key. We
still encourage people meeting face to face to sign each other's key,
whenever it is or will be possible. Note that signed keys won't
require endorsements. Both methods are complementary.
* Advocacies: advocacies are about witnessing that a person is
experienced and responsible enough to have a given status in Debian.
Key endorsements are about witnessing having worked with a given
person using a given key. In both cases there has been collaboration
between the two people. Advocacy gives the thumbs up to a person
changing their status in Debian. Endorsing a key only connects the
reputation of a person with that key.
For example, an endorsement statement could be something like:
> While working on {||…}, has usually signed
> their {mails|git commits|…} with the GPG key
While an advocacy message would be something like:
> I have worked with on {||…} for and
> I believe they can be trusted to be a full member of Debian, and
> have unsupervised, unrestricted upload rights, right now.
Currently the endorsements are integrated into the NM processes so that
the 10 most recent endorsements are displayed in the Keycheck
requirement of a process. A FrontDesk Member or DAM can review these and
determine whether or not they are sufficient to approve the KeyCheck. It
is likely that the exact implementation will change, based on the
experience we will have and the feedback we will receive.
Henceforth, by all means, if you see things that could or should be
improved, don't hesitate to reach out to us through either the BTS,
https://salsa.debian.org/nm-team/nm.debian.org issues page or via the
n...@debian.org email address!
We hope that this feature will serve its purpose efficiently.
Bests,
For Debian Account Managers and Front Desk,
Enrico Zini
Pierre-Elliott Bécue
[0] https://lists.debian.org/debian-devel-announce/2020/09/msg0.html
[1] example: https://nm.debian.org/person/enrico/
[2] example:
https://nm.debian.org/fprs/person/enrico/1793D6AB75663E6BF104953A634F4BD1E7AD5568/endorsements/view/
-BEGIN PGP SIGNATURE-
iQJKBAEBCAA0FiEEV3MSJKl2LqFVqypTDKjRW7JNlvIFAl+oWiYWHGRhLW1hbmFn
ZXJAZGViaWFuLm9yZwAKCRAMqNFbsk2W8uudEACsuT5fxI3IJrzhn5buLGfoS+D2
sGApvLtPJ8KuuAXWGn0OAcUGTMlO0ZZl82kB9PYQo8+xL6rvEGyOr9MGBYuVjlyH
ptUcwnknKl5zjBz7NRXRjSfeV0bq/sBhbgc5lM4RkGAjBCcJCEnvfXDJU/53addr
hQXksocqOUfH28BBqTFvhpPuQwCnF89vufjdYIF9iaPmwlGaZ+sifRhWJdrdCZHl
1h4I7IxKUm5Kr/QkKuz2RiQv7HFhmkZTTFtROXDGmu2P0M0rX9i2277fmn7srUSS
MQQCxT4yjdV6Miym3nfUL1bzrfNAL046vjNTkcs8nmzk4zC6AUW7VXCKczpmBwl5
YcZm5EP8XmP6MIRHq3if2Qqv2905vkytcLPg8JalmJ5yiJp+nn+O6yHR5YqwArn2
31eUJy8lcnaMByRha8wb8kUheKZ
