Re: Emeritus status, and email forwarding

2017-12-07 Thread Wouter Verhelst 
On Thu, Dec 07, 2017 at 11:55:07AM +0100, Daniel Pocock wrote:
> - the use of the debian.org addresses is a strong way for people to show
> that they are doing things on behalf of Debian,

This. I don't think we should drop @debian.org email addresses for that reason.

-- 
Could you people please use IRC like normal people?!?

  -- Amaya Rodrigo Sastre, trying to quiet down the buzz in the DebConf 2008
 Hacklab

Re: Emeritus status, and email forwarding

2017-12-07 Thread Daniel Pocock 
On 15/11/17 12:53, Ian Jackson wrote:
> Someone who was sort-of-MIA said on -private that they would like to
> keep their @debian.org email forwarding indefinitely, as they move to
> emeritus status.

One alternative that wasn't mentioned in this thread: what if Debian
stops providing @debian.org email addresses and phases out existing
addresses?

I'm not advocating this as my preferred solution, but it is useful to
have all options on the table in a discussion about the email addresses.

Benefits of deprecating all debian.org email addresses:

- less things for DSA to maintain

- less problems with forwarding from debian.org to other mail servers
that enable strict SPF policies[1]

- people would be forced to use (or create) some other email address for
their packaging work (debian/control, changelog) and these addresses
would still be contactable after they leave the project

Disadvantages:

- for people who want a distinct email address for their Debian
contributions, a little extra effort to create and monitor an extra
private email address for their packaging work

- existing addresses will still linger around for a long time

- the use of the debian.org addresses is a strong way for people to show
that they are doing things on behalf of Debian, the loss of this benefit
could be mitigated partially by using team addresses to send some types
of communication

Regards,

Daniel


1. http://www.openspf.org/FAQ/Forwarding

Re: Emeritus status, and email forwarding

2017-11-18 Thread Tollef Fog Heen 
]] Ondřej Surý 

> On Fri, Nov 17, 2017, at 23:01, Tollef Fog Heen wrote:
> > ]] Ian Jackson 
> > 
> > > I think that, with some safeguards[1], this would be a good thing to
> > > offer people.  If nothing else people have often used @d.o addresses
> > > in Debian work, where the addresses live on after they move on, and we
> > > should definitely encourage even an emeritus member to be reachable
> > > for answering questions or whatever, as their time and interest
> > > permits.
> > 
> > I don't think we should do that.  Once they've left the project, they
> > don't and shouldn't have the ability to answer for Debian in any way.
> 
> +1 to that. Either you are with the project, or you are not. If somebody
> hasn't been active in years, and intend to possibly return, we can
> recycle the account name, but he should be probably subject to the
> regular NM procedure.

Yes, people who come back after having retired (or having gone MIA) can
of course have their user name back (subject to them becoming DDs,
through the processes for that).  Nobody else can get that account name,
though, since that could cause problems.

-- 
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are

Re: Emeritus status, and email forwarding

2017-11-18 Thread Ondřej Surý 
On Fri, Nov 17, 2017, at 23:01, Tollef Fog Heen wrote:
> ]] Ian Jackson 
> 
> > I think that, with some safeguards[1], this would be a good thing to
> > offer people.  If nothing else people have often used @d.o addresses
> > in Debian work, where the addresses live on after they move on, and we
> > should definitely encourage even an emeritus member to be reachable
> > for answering questions or whatever, as their time and interest
> > permits.
> 
> I don't think we should do that.  Once they've left the project, they
> don't and shouldn't have the ability to answer for Debian in any way.

+1 to that. Either you are with the project, or you are not. If somebody
hasn't been active in years, and intend to possibly return, we can
recycle the account name, but he should be probably subject to the
regular NM procedure.

Cheers,
-- 
Ondřej Surý

Re: Emeritus status, and email forwarding

2017-11-17 Thread Tollef Fog Heen 
]] Ian Jackson 

> I think that, with some safeguards[1], this would be a good thing to
> offer people.  If nothing else people have often used @d.o addresses
> in Debian work, where the addresses live on after they move on, and we
> should definitely encourage even an emeritus member to be reachable
> for answering questions or whatever, as their time and interest
> permits.

I don't think we should do that.  Once they've left the project, they
don't and shouldn't have the ability to answer for Debian in any way.

> Unfortunately it would mean that such people would still need some
> kind of login on Debian systems, so that they could update the email
> forwarding.  But it wouldn't have to have the wide powers of an active
> DD/DM account.
> 
> What do people think ?  How hard would this be ?

It would make our already too complex setups even more complex, but
that's not the reason why I think it's a bad idea.

> The emeritus member should refrain from advertising the @debian.org
> email address, so outgoing emails, web pages, etc., should be updated
> to show a different address.  Obviously the point of retaining the old
> address is to avoid having to deal with a massive array of existing
> places where the address is published, but there should be no active
> uses, and any particular instances should be changed on requests by
> Debian.  The forwarding would have to be withdrawn if the emeritus
> member continued to advertise their @d.o address, or if they did
> something sufficiently bad that we would want to disassociate
> ourselves from them more completely.

I don't think we're in a position where we would be able to effectively
police this, and so I don't think we should try either.

Cheers,
-- 
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are

Re: Emeritus status, and email forwarding

2017-11-17 Thread Gunnar Wolf 
Enrico Zini dijo [Wed, Nov 15, 2017 at 05:46:52PM +0100]:
> I would be ok with saying that emeritus people who have a valid gpg key
> can still have email forwarding, exporting the emeritus keyring
> alongside the other keyrings, and handling email forwarding
> configuration changes via chan...@db.debian.org, and key replacements as
> usual.
> 
> It would exclude people who don't have a viable gpg key anymore in the
> keyring, or who are not interested in maintaining one, but that is
> already the case mostly anywhere in Debian, and I don't see it as a
> blocker for keeping forwarding working as long as someone is emeritus
> and has a key in the emeritus keyring.
> 
> I would also be ok saying that people whose keys in the emeritus keyring
> become invalid over time, because they expire or because they are not
> replaced when needed, move to "removed" status after a while.

FWIW some other people have expressed procedure concerns on this
topic, I am not repeating them.

We (keyring-maint) do keep an Emeritus keyring. Given it is not really
_used_, I had not checked its real status in a long time, but now I
must really take off my hat towards Jonathan - It is quite well
maintained.

It used to be a very large directory:


https://anonscm.debian.org/cgit/keyring/keyring.git/tree/emeritus-keyring-gpg?id=f6293ba7d7c4e775b3b83185e66da41f4765721f

But since Jonathan removed short keys in it (as they are keys we will
never use again and should no longer consider trusted), it became way
smaller. Current view:


https://anonscm.debian.org/cgit/keyring/keyring.git/tree/emeritus-keyring-gpg

Anyway, we could continue to receive updates for and process the
Emeritus' keyring, if any person in it was interested in doing so... I
doubt it would be the case. We can also produce that keyring together
with our updates if any infrastructure were to use it.

I have a feeling it would mostly be over-engineering, though. Keeping
the mail alias working "forever" sounds right, but I expect that any
mail update requests would still end up in a human to implement.


signature.asc
Description: PGP signature

Re: Emeritus status, and email forwarding [and 1 more messages]

2017-11-16 Thread Mattia Rizzolo 
On Thu, Nov 16, 2017 at 07:23:23AM +0800, Paul Wise wrote:
> Is this because of it being hard to track the contributions of
> non-uploading DDs?

Not necessarily (but probably true for some case, for example, those we
got DD_nu because of relevant contributions to the debconf orga, that's
not really easy to figure out…).

Another reason is that the MIA team still doesn't actively look out for
inactive people, but instead reacts on external notices sent to us.
Since there is a constant flow of those I think we will stick with that
way for a while still.  Nobody has come to us yet asking to check on a
non-uploader DD.

> Is the MIA team looking at contributors.d.o data?

Yes, that's of great help in our work.

-- 
regards,
Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540  .''`.
more about me:  https://mapreri.org : :'  :
Launchpad user: https://launchpad.net/~mapreri  `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia  `-


signature.asc
Description: PGP signature

Re: Emeritus status, and email forwarding [and 1 more messages]

2017-11-15 Thread Sam Hartman 
I think if we can find a way to manage it technically, allowing people
to forward email would be a reasonable thing to do.

Re: Emeritus status, and email forwarding [and 1 more messages]

2017-11-15 Thread Paul Wise 
On Thu, Nov 16, 2017 at 12:23 AM, Mattia Rizzolo wrote:

> non-uploading DD where the MIA team is not looking at.

Is this because of it being hard to track the contributions of
non-uploading DDs?

Is the MIA team looking at contributors.d.o data?

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

Re: Emeritus status, and email forwarding [and 1 more messages]

2017-11-15 Thread Sean Whitton 
Hello Mattia,

On Wed, Nov 15 2017, Mattia Rizzolo wrote:

> IMHO if somebody care to keep their forward email usable they can very
> well care enough to have a robust enough key and keep it in the
> keyring, and possibly be demoted to non-uploading DD where the MIA
> team is not looking at.

I'd like to suggest using 'changed' rather than 'demoted' because the
latter suggests that being a non-uploading DD is of less value than
being an uploading DD.

(I know you're not a native speaker so I'm not blaming you, Mattia!)

-- 
Sean Whitton


signature.asc
Description: PGP signature

Re: Emeritus status, and email forwarding

2017-11-15 Thread Enrico Zini 
On Wed, Nov 15, 2017 at 01:45:52PM +0100, Mattia Rizzolo wrote:

> In many cases (such this particular one) people don't have a viable gpg
> key anymore in the keyring: that means they can't email
> chan...@db.debian.org to update their LDAP details (theoretically, they
> might still know the LDAP password and do it from there, but in practice
> all the people who reach that point already forgot it).
> So there is really a very technical issue to overcome for your proposal.

I would be ok with saying that emeritus people who have a valid gpg key
can still have email forwarding, exporting the emeritus keyring
alongside the other keyrings, and handling email forwarding
configuration changes via chan...@db.debian.org, and key replacements as
usual.

It would exclude people who don't have a viable gpg key anymore in the
keyring, or who are not interested in maintaining one, but that is
already the case mostly anywhere in Debian, and I don't see it as a
blocker for keeping forwarding working as long as someone is emeritus
and has a key in the emeritus keyring.

I would also be ok saying that people whose keys in the emeritus keyring
become invalid over time, because they expire or because they are not
replaced when needed, move to "removed" status after a while.


Enrico

-- 
GPG key: 4096R/634F4BD1E7AD5568 2009-05-08 Enrico Zini 


signature.asc
Description: PGP signature

Re: Emeritus status, and email forwarding [and 1 more messages]

2017-11-15 Thread Mattia Rizzolo 
On Wed, Nov 15, 2017 at 04:08:41PM +, Ian Jackson wrote:
> It would be possible to have an "emeritus" keyring, I guess.  Since it
> would only be used for email forwarding and a few other things, it
> could have weaker security requirements.

Techinically such keyring exists, but they are not exported anywhere.
But if 1024D are not considered secure anymore, I don't see the point of
considering them "not secure, not trustable, but we don't care about
email forward so we're fine with having the hijacked", which feels like
what you are proposing.

IMHO if somebody care to keep their forward email usable they can very
well care enough to have a robust enough key and keep it in the keyring,
and possibly be demoted to non-uploading DD where the MIA team is not
looking at.
And most of all, they would need to care enough to carry on such
conversation to see it happen, whilst in most cases it seems to me the
people first asking for such thing are nowhere near "interested" and
expect others to carry on their wishes.

-- 
regards,
Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540  .''`.
more about me:  https://mapreri.org : :'  :
Launchpad user: https://launchpad.net/~mapreri  `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia  `-


signature.asc
Description: PGP signature

Re: Emeritus status, and email forwarding [and 1 more messages]

2017-11-15 Thread Ian Jackson 
Peter Palfrader writes ("Re: Emeritus status, and email forwarding"):
> Without a key in a keyring that somebody maintains, authenticating such
> requests, even manually, is going to be a PITA.

Mattia Rizzolo writes ("Re: Emeritus status, and email forwarding"):
> In many cases (such this particular one) people don't have a viable gpg
> key anymore in the keyring: that means they can't email
> chan...@db.debian.org to update their LDAP details (theoretically, they
> might still know the LDAP password and do it from there, but in practice
> all the people who reach that point already forgot it).

It would be possible to have an "emeritus" keyring, I guess.  Since it
would only be used for email forwarding and a few other things, it
could have weaker security requirements.

But this is all just hot air from me now, because I'm afraid I am not
volunteering to implement or maintain it :-/.

Regards,
Ian.

-- 
Ian Jackson <ijack...@chiark.greenend.org.uk>   These opinions are my own.

If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.

Re: Emeritus status, and email forwarding

2017-11-15 Thread Peter Palfrader 
On Wed, 15 Nov 2017, Michael Stone wrote:

> On Wed, Nov 15, 2017 at 11:53:18AM +, Ian Jackson wrote:
> > Unfortunately it would mean that such people would still need some
> > kind of login on Debian systems, so that they could update the email
> > forwarding.  But it wouldn't have to have the wide powers of an active
> > DD/DM account.
> 
> Unless this turns into a extremely popular option it seems like updating
> could be done manually, with no need for a complicated technical solution.

Without a key in a keyring that somebody maintains, authenticating such
requests, even manually, is going to be a PITA.

-- 
|  .''`.   ** Debian **
  Peter Palfrader   | : :' :  The  universal
 https://www.palfrader.org/ | `. `'  Operating System
|   `-https://www.debian.org/

Re: Emeritus status, and email forwarding

2017-11-15 Thread Michael Stone 

On Wed, Nov 15, 2017 at 11:53:18AM +, Ian Jackson wrote:

Unfortunately it would mean that such people would still need some
kind of login on Debian systems, so that they could update the email
forwarding.  But it wouldn't have to have the wide powers of an active
DD/DM account.


Unless this turns into a extremely popular option it seems like updating 
could be done manually, with no need for a complicated technical 
solution.


Mike Stone

Re: Emeritus status, and email forwarding

2017-11-15 Thread Mattia Rizzolo 
On Wed, Nov 15, 2017 at 11:53:18AM +, Ian Jackson wrote:
> Unfortunately it would mean that such people would still need some
> kind of login on Debian systems, so that they could update the email
> forwarding.

In many cases (such this particular one) people don't have a viable gpg
key anymore in the keyring: that means they can't email
chan...@db.debian.org to update their LDAP details (theoretically, they
might still know the LDAP password and do it from there, but in practice
all the people who reach that point already forgot it).

So there is really a very technical issue to overcome for your proposal.

-- 
regards,
Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540  .''`.
more about me:  https://mapreri.org : :'  :
Launchpad user: https://launchpad.net/~mapreri  `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia  `-


signature.asc
Description: PGP signature