Re: Emeritus status, and email forwarding
On Thu, Dec 07, 2017 at 11:55:07AM +0100, Daniel Pocock wrote: > - the use of the debian.org addresses is a strong way for people to show > that they are doing things on behalf of Debian, This. I don't think we should drop @debian.org email addresses for that reason. -- Could you people please use IRC like normal people?!? -- Amaya Rodrigo Sastre, trying to quiet down the buzz in the DebConf 2008 Hacklab
Re: Emeritus status, and email forwarding
On 15/11/17 12:53, Ian Jackson wrote: > Someone who was sort-of-MIA said on -private that they would like to > keep their @debian.org email forwarding indefinitely, as they move to > emeritus status. One alternative that wasn't mentioned in this thread: what if Debian stops providing @debian.org email addresses and phases out existing addresses? I'm not advocating this as my preferred solution, but it is useful to have all options on the table in a discussion about the email addresses. Benefits of deprecating all debian.org email addresses: - less things for DSA to maintain - less problems with forwarding from debian.org to other mail servers that enable strict SPF policies[1] - people would be forced to use (or create) some other email address for their packaging work (debian/control, changelog) and these addresses would still be contactable after they leave the project Disadvantages: - for people who want a distinct email address for their Debian contributions, a little extra effort to create and monitor an extra private email address for their packaging work - existing addresses will still linger around for a long time - the use of the debian.org addresses is a strong way for people to show that they are doing things on behalf of Debian, the loss of this benefit could be mitigated partially by using team addresses to send some types of communication Regards, Daniel 1. http://www.openspf.org/FAQ/Forwarding
Re: Emeritus status, and email forwarding
]] Ondřej Surý > On Fri, Nov 17, 2017, at 23:01, Tollef Fog Heen wrote: > > ]] Ian Jackson > > > > > I think that, with some safeguards[1], this would be a good thing to > > > offer people. If nothing else people have often used @d.o addresses > > > in Debian work, where the addresses live on after they move on, and we > > > should definitely encourage even an emeritus member to be reachable > > > for answering questions or whatever, as their time and interest > > > permits. > > > > I don't think we should do that. Once they've left the project, they > > don't and shouldn't have the ability to answer for Debian in any way. > > +1 to that. Either you are with the project, or you are not. If somebody > hasn't been active in years, and intend to possibly return, we can > recycle the account name, but he should be probably subject to the > regular NM procedure. Yes, people who come back after having retired (or having gone MIA) can of course have their user name back (subject to them becoming DDs, through the processes for that). Nobody else can get that account name, though, since that could cause problems. -- Tollef Fog Heen UNIX is user friendly, it's just picky about who its friends are
Re: Emeritus status, and email forwarding
On Fri, Nov 17, 2017, at 23:01, Tollef Fog Heen wrote: > ]] Ian Jackson > > > I think that, with some safeguards[1], this would be a good thing to > > offer people. If nothing else people have often used @d.o addresses > > in Debian work, where the addresses live on after they move on, and we > > should definitely encourage even an emeritus member to be reachable > > for answering questions or whatever, as their time and interest > > permits. > > I don't think we should do that. Once they've left the project, they > don't and shouldn't have the ability to answer for Debian in any way. +1 to that. Either you are with the project, or you are not. If somebody hasn't been active in years, and intend to possibly return, we can recycle the account name, but he should be probably subject to the regular NM procedure. Cheers, -- Ondřej Surý
Re: Emeritus status, and email forwarding
]] Ian Jackson > I think that, with some safeguards[1], this would be a good thing to > offer people. If nothing else people have often used @d.o addresses > in Debian work, where the addresses live on after they move on, and we > should definitely encourage even an emeritus member to be reachable > for answering questions or whatever, as their time and interest > permits. I don't think we should do that. Once they've left the project, they don't and shouldn't have the ability to answer for Debian in any way. > Unfortunately it would mean that such people would still need some > kind of login on Debian systems, so that they could update the email > forwarding. But it wouldn't have to have the wide powers of an active > DD/DM account. > > What do people think ? How hard would this be ? It would make our already too complex setups even more complex, but that's not the reason why I think it's a bad idea. > The emeritus member should refrain from advertising the @debian.org > email address, so outgoing emails, web pages, etc., should be updated > to show a different address. Obviously the point of retaining the old > address is to avoid having to deal with a massive array of existing > places where the address is published, but there should be no active > uses, and any particular instances should be changed on requests by > Debian. The forwarding would have to be withdrawn if the emeritus > member continued to advertise their @d.o address, or if they did > something sufficiently bad that we would want to disassociate > ourselves from them more completely. I don't think we're in a position where we would be able to effectively police this, and so I don't think we should try either. Cheers, -- Tollef Fog Heen UNIX is user friendly, it's just picky about who its friends are
Re: Emeritus status, and email forwarding
Enrico Zini dijo [Wed, Nov 15, 2017 at 05:46:52PM +0100]: > I would be ok with saying that emeritus people who have a valid gpg key > can still have email forwarding, exporting the emeritus keyring > alongside the other keyrings, and handling email forwarding > configuration changes via chan...@db.debian.org, and key replacements as > usual. > > It would exclude people who don't have a viable gpg key anymore in the > keyring, or who are not interested in maintaining one, but that is > already the case mostly anywhere in Debian, and I don't see it as a > blocker for keeping forwarding working as long as someone is emeritus > and has a key in the emeritus keyring. > > I would also be ok saying that people whose keys in the emeritus keyring > become invalid over time, because they expire or because they are not > replaced when needed, move to "removed" status after a while. FWIW some other people have expressed procedure concerns on this topic, I am not repeating them. We (keyring-maint) do keep an Emeritus keyring. Given it is not really _used_, I had not checked its real status in a long time, but now I must really take off my hat towards Jonathan - It is quite well maintained. It used to be a very large directory: https://anonscm.debian.org/cgit/keyring/keyring.git/tree/emeritus-keyring-gpg?id=f6293ba7d7c4e775b3b83185e66da41f4765721f But since Jonathan removed short keys in it (as they are keys we will never use again and should no longer consider trusted), it became way smaller. Current view: https://anonscm.debian.org/cgit/keyring/keyring.git/tree/emeritus-keyring-gpg Anyway, we could continue to receive updates for and process the Emeritus' keyring, if any person in it was interested in doing so... I doubt it would be the case. We can also produce that keyring together with our updates if any infrastructure were to use it. I have a feeling it would mostly be over-engineering, though. Keeping the mail alias working "forever" sounds right, but I expect that any mail update requests would still end up in a human to implement. signature.asc Description: PGP signature
Re: Emeritus status, and email forwarding [and 1 more messages]
On Thu, Nov 16, 2017 at 07:23:23AM +0800, Paul Wise wrote: > Is this because of it being hard to track the contributions of > non-uploading DDs? Not necessarily (but probably true for some case, for example, those we got DD_nu because of relevant contributions to the debconf orga, that's not really easy to figure out…). Another reason is that the MIA team still doesn't actively look out for inactive people, but instead reacts on external notices sent to us. Since there is a constant flow of those I think we will stick with that way for a while still. Nobody has come to us yet asking to check on a non-uploader DD. > Is the MIA team looking at contributors.d.o data? Yes, that's of great help in our work. -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. more about me: https://mapreri.org : :' : Launchpad user: https://launchpad.net/~mapreri `. `'` Debian QA page: https://qa.debian.org/developer.php?login=mattia `- signature.asc Description: PGP signature
Re: Emeritus status, and email forwarding [and 1 more messages]
I think if we can find a way to manage it technically, allowing people to forward email would be a reasonable thing to do.
Re: Emeritus status, and email forwarding [and 1 more messages]
On Thu, Nov 16, 2017 at 12:23 AM, Mattia Rizzolo wrote: > non-uploading DD where the MIA team is not looking at. Is this because of it being hard to track the contributions of non-uploading DDs? Is the MIA team looking at contributors.d.o data? -- bye, pabs https://wiki.debian.org/PaulWise
Re: Emeritus status, and email forwarding [and 1 more messages]
Hello Mattia, On Wed, Nov 15 2017, Mattia Rizzolo wrote: > IMHO if somebody care to keep their forward email usable they can very > well care enough to have a robust enough key and keep it in the > keyring, and possibly be demoted to non-uploading DD where the MIA > team is not looking at. I'd like to suggest using 'changed' rather than 'demoted' because the latter suggests that being a non-uploading DD is of less value than being an uploading DD. (I know you're not a native speaker so I'm not blaming you, Mattia!) -- Sean Whitton signature.asc Description: PGP signature
Re: Emeritus status, and email forwarding
On Wed, Nov 15, 2017 at 01:45:52PM +0100, Mattia Rizzolo wrote: > In many cases (such this particular one) people don't have a viable gpg > key anymore in the keyring: that means they can't email > chan...@db.debian.org to update their LDAP details (theoretically, they > might still know the LDAP password and do it from there, but in practice > all the people who reach that point already forgot it). > So there is really a very technical issue to overcome for your proposal. I would be ok with saying that emeritus people who have a valid gpg key can still have email forwarding, exporting the emeritus keyring alongside the other keyrings, and handling email forwarding configuration changes via chan...@db.debian.org, and key replacements as usual. It would exclude people who don't have a viable gpg key anymore in the keyring, or who are not interested in maintaining one, but that is already the case mostly anywhere in Debian, and I don't see it as a blocker for keeping forwarding working as long as someone is emeritus and has a key in the emeritus keyring. I would also be ok saying that people whose keys in the emeritus keyring become invalid over time, because they expire or because they are not replaced when needed, move to "removed" status after a while. Enrico -- GPG key: 4096R/634F4BD1E7AD5568 2009-05-08 Enrico Zinisignature.asc Description: PGP signature
Re: Emeritus status, and email forwarding [and 1 more messages]
On Wed, Nov 15, 2017 at 04:08:41PM +, Ian Jackson wrote: > It would be possible to have an "emeritus" keyring, I guess. Since it > would only be used for email forwarding and a few other things, it > could have weaker security requirements. Techinically such keyring exists, but they are not exported anywhere. But if 1024D are not considered secure anymore, I don't see the point of considering them "not secure, not trustable, but we don't care about email forward so we're fine with having the hijacked", which feels like what you are proposing. IMHO if somebody care to keep their forward email usable they can very well care enough to have a robust enough key and keep it in the keyring, and possibly be demoted to non-uploading DD where the MIA team is not looking at. And most of all, they would need to care enough to carry on such conversation to see it happen, whilst in most cases it seems to me the people first asking for such thing are nowhere near "interested" and expect others to carry on their wishes. -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. more about me: https://mapreri.org : :' : Launchpad user: https://launchpad.net/~mapreri `. `'` Debian QA page: https://qa.debian.org/developer.php?login=mattia `- signature.asc Description: PGP signature
Re: Emeritus status, and email forwarding [and 1 more messages]
Peter Palfrader writes ("Re: Emeritus status, and email forwarding"): > Without a key in a keyring that somebody maintains, authenticating such > requests, even manually, is going to be a PITA. Mattia Rizzolo writes ("Re: Emeritus status, and email forwarding"): > In many cases (such this particular one) people don't have a viable gpg > key anymore in the keyring: that means they can't email > chan...@db.debian.org to update their LDAP details (theoretically, they > might still know the LDAP password and do it from there, but in practice > all the people who reach that point already forgot it). It would be possible to have an "emeritus" keyring, I guess. Since it would only be used for email forwarding and a few other things, it could have weaker security requirements. But this is all just hot air from me now, because I'm afraid I am not volunteering to implement or maintain it :-/. Regards, Ian. -- Ian Jackson <ijack...@chiark.greenend.org.uk> These opinions are my own. If I emailed you from an address @fyvzl.net or @evade.org.uk, that is a private address which bypasses my fierce spamfilter.
Re: Emeritus status, and email forwarding
On Wed, 15 Nov 2017, Michael Stone wrote: > On Wed, Nov 15, 2017 at 11:53:18AM +, Ian Jackson wrote: > > Unfortunately it would mean that such people would still need some > > kind of login on Debian systems, so that they could update the email > > forwarding. But it wouldn't have to have the wide powers of an active > > DD/DM account. > > Unless this turns into a extremely popular option it seems like updating > could be done manually, with no need for a complicated technical solution. Without a key in a keyring that somebody maintains, authenticating such requests, even manually, is going to be a PITA. -- | .''`. ** Debian ** Peter Palfrader | : :' : The universal https://www.palfrader.org/ | `. `' Operating System | `-https://www.debian.org/
Re: Emeritus status, and email forwarding
On Wed, Nov 15, 2017 at 11:53:18AM +, Ian Jackson wrote: Unfortunately it would mean that such people would still need some kind of login on Debian systems, so that they could update the email forwarding. But it wouldn't have to have the wide powers of an active DD/DM account. Unless this turns into a extremely popular option it seems like updating could be done manually, with no need for a complicated technical solution. Mike Stone
Re: Emeritus status, and email forwarding
On Wed, Nov 15, 2017 at 11:53:18AM +, Ian Jackson wrote: > Unfortunately it would mean that such people would still need some > kind of login on Debian systems, so that they could update the email > forwarding. In many cases (such this particular one) people don't have a viable gpg key anymore in the keyring: that means they can't email chan...@db.debian.org to update their LDAP details (theoretically, they might still know the LDAP password and do it from there, but in practice all the people who reach that point already forgot it). So there is really a very technical issue to overcome for your proposal. -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. more about me: https://mapreri.org : :' : Launchpad user: https://launchpad.net/~mapreri `. `'` Debian QA page: https://qa.debian.org/developer.php?login=mattia `- signature.asc Description: PGP signature