Re: [nm.debian.org] Key endorsements are live
Le dimanche 08 novembre 2020 à 21:15:34+, Paul Sutton a écrit : > > On 08/11/2020 20:51, Enrico Zini wrote: > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA256 > > > > Hello, > > > > As it was announced on a previous message[0], we have now implemented > > Key Endorsements on nm.debian.org, for people in the process to become > > either Debian Maintainers or Debian Developers. > > > > The principle is to give Debian Developers a way to tell that they've > > worked with a given person, and that enough of that work was signed by a > > given GPG key, that the person controlling that key was definitely the > > person doing that work. > > > > When logged into nm.debian.org and visiting a person's page[1], every > > Debian Project Member will see a new button just on the right of the GPG > > fingerprint, allowing to see the person's endorsements on their > > currently active fingerprint[2], and to submit one. An endorsement is a > > GPG-signed statement giving some context about what work you did with > > that person with that specific key. > > > > The endorsements are a long-needed step forward in the way we build > > trust on people and their keys. It was made urgent by the travel and > > meeting restrictions caused by the recent COVID-19 pandemic, which > > amplified an issue we've always had when prospective Developers had > > difficulties in meeting existing Developers to enter Debian's web of > > trust. Endorsements are complementary with signatures. A signed key will > > be valid without endorsements, and a sufficiently endorsed key will be > > seen as valid even without signatures. A key with one signature and some > > endorsements will also be seen as valid. > > > > What endorsements are > > = > > > > * A way to witness the use of a given key while working with a given > > person. We don't want to set specific rules about what is worth of an > > endorsement, but we consider that some short details about he kind of > > work and the kind of key usage should be visible and reported in the > > endorsement. > > * Decaying over time: we'll see very old endorsements as less reliable > > than recent ones. If you've worked with someone and endorsed them a > > long time ago, but still worked with them between then and now, it > > could make sense to re-endorse them. > > > > What endorsements are not > > = > > > > * Substitutes to Key signatures. They are not intended to connect > > identities with a key, only to connect work reputation with a key. We > > still encourage people meeting face to face to sign each other's key, > > whenever it is or will be possible. Note that signed keys won't > > require endorsements. Both methods are complementary. > > * Advocacies: advocacies are about witnessing that a person is > > experienced and responsible enough to have a given status in Debian. > > Key endorsements are about witnessing having worked with a given > > person using a given key. In both cases there has been collaboration > > between the two people. Advocacy gives the thumbs up to a person > > changing their status in Debian. Endorsing a key only connects the > > reputation of a person with that key. > > > > For example, an endorsement statement could be something like: > > > > > While working on {||…}, has usually signed > > > their {mails|git commits|…} with the GPG key > > > > While an advocacy message would be something like: > > > > > I have worked with on {||…} for and > > > I believe they can be trusted to be a full member of Debian, and > > > have unsupervised, unrestricted upload rights, right now. > > > > Currently the endorsements are integrated into the NM processes so that > > the 10 most recent endorsements are displayed in the Keycheck > > requirement of a process. A FrontDesk Member or DAM can review these and > > determine whether or not they are sufficient to approve the KeyCheck. It > > is likely that the exact implementation will change, based on the > > experience we will have and the feedback we will receive. > > > > Henceforth, by all means, if you see things that could or should be > > improved, don't hesitate to reach out to us through either the BTS, > > https://salsa.debian.org/nm-team/nm.debian.org issues page or via the > > n...@debian.org email address! > > > > We hope that this feature will serve its purpose efficiently. > > > > Bests, > > > > For Debian Account Managers and Front Desk, > > > > Enrico Zini > > Pierre-Elliott Bécue > > > > [0] https://lists.debian.org/debian-devel-announce/2020/09/msg0.html > > [1] example: https://nm.debian.org/person/enrico/ > > [2] example: > > https://nm.debian.org/fprs/person/enrico/1793D6AB75663E6BF104953A634F4BD1E7AD5568/endorsements/view/ > > -BEGIN PGP SIGNATURE- > > > > iQJKBAEBCAA0FiEEV3MSJKl2LqFVqypTDKjRW7JNlvIFAl+oWiYWHGRhLW1hbmFn > > ZXJAZGViaWFuL
Re: [nm.debian.org] Key endorsements are live
On 08/11/2020 20:51, Enrico Zini wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello, As it was announced on a previous message[0], we have now implemented Key Endorsements on nm.debian.org, for people in the process to become either Debian Maintainers or Debian Developers. The principle is to give Debian Developers a way to tell that they've worked with a given person, and that enough of that work was signed by a given GPG key, that the person controlling that key was definitely the person doing that work. When logged into nm.debian.org and visiting a person's page[1], every Debian Project Member will see a new button just on the right of the GPG fingerprint, allowing to see the person's endorsements on their currently active fingerprint[2], and to submit one. An endorsement is a GPG-signed statement giving some context about what work you did with that person with that specific key. The endorsements are a long-needed step forward in the way we build trust on people and their keys. It was made urgent by the travel and meeting restrictions caused by the recent COVID-19 pandemic, which amplified an issue we've always had when prospective Developers had difficulties in meeting existing Developers to enter Debian's web of trust. Endorsements are complementary with signatures. A signed key will be valid without endorsements, and a sufficiently endorsed key will be seen as valid even without signatures. A key with one signature and some endorsements will also be seen as valid. What endorsements are = * A way to witness the use of a given key while working with a given person. We don't want to set specific rules about what is worth of an endorsement, but we consider that some short details about he kind of work and the kind of key usage should be visible and reported in the endorsement. * Decaying over time: we'll see very old endorsements as less reliable than recent ones. If you've worked with someone and endorsed them a long time ago, but still worked with them between then and now, it could make sense to re-endorse them. What endorsements are not = * Substitutes to Key signatures. They are not intended to connect identities with a key, only to connect work reputation with a key. We still encourage people meeting face to face to sign each other's key, whenever it is or will be possible. Note that signed keys won't require endorsements. Both methods are complementary. * Advocacies: advocacies are about witnessing that a person is experienced and responsible enough to have a given status in Debian. Key endorsements are about witnessing having worked with a given person using a given key. In both cases there has been collaboration between the two people. Advocacy gives the thumbs up to a person changing their status in Debian. Endorsing a key only connects the reputation of a person with that key. For example, an endorsement statement could be something like: > While working on {||…}, has usually signed > their {mails|git commits|…} with the GPG key While an advocacy message would be something like: > I have worked with on {||…} for and > I believe they can be trusted to be a full member of Debian, and > have unsupervised, unrestricted upload rights, right now. Currently the endorsements are integrated into the NM processes so that the 10 most recent endorsements are displayed in the Keycheck requirement of a process. A FrontDesk Member or DAM can review these and determine whether or not they are sufficient to approve the KeyCheck. It is likely that the exact implementation will change, based on the experience we will have and the feedback we will receive. Henceforth, by all means, if you see things that could or should be improved, don't hesitate to reach out to us through either the BTS, https://salsa.debian.org/nm-team/nm.debian.org issues page or via the n...@debian.org email address! We hope that this feature will serve its purpose efficiently. Bests, For Debian Account Managers and Front Desk, Enrico Zini Pierre-Elliott Bécue [0] https://lists.debian.org/debian-devel-announce/2020/09/msg0.html [1] example: https://nm.debian.org/person/enrico/ [2] example: https://nm.debian.org/fprs/person/enrico/1793D6AB75663E6BF104953A634F4BD1E7AD5568/endorsements/view/ -BEGIN PGP SIGNATURE- iQJKBAEBCAA0FiEEV3MSJKl2LqFVqypTDKjRW7JNlvIFAl+oWiYWHGRhLW1hbmFn ZXJAZGViaWFuLm9yZwAKCRAMqNFbsk2W8uudEACsuT5fxI3IJrzhn5buLGfoS+D2 sGApvLtPJ8KuuAXWGn0OAcUGTMlO0ZZl82kB9PYQo8+xL6rvEGyOr9MGBYuVjlyH ptUcwnknKl5zjBz7NRXRjSfeV0bq/sBhbgc5lM4RkGAjBCcJCEnvfXDJU/53addr hQXksocqOUfH28BBqTFvhpPuQwCnF89vufjdYIF9iaPmwlGaZ+sifRhWJdrdCZHl 1h4I7IxKUm5Kr/QkKuz2RiQv7HFhmkZTTFtROXDGmu2P0M0rX9i2277fmn7srUSS MQQCxT4yjdV6Miym3nfUL1bzrfNAL046vjNTkcs8nmzk4zC6AUW7VXCKczpmBwl5 YcZm5EP8XmP6MIRHq3if2Qqv2905vkytcLPg8JalmJ5yiJp+nn+O6yHR5YqwArn2 31eUJy8lcnaMByRha8wb8kUheKZ