On Wed, Feb 14, 2018 at 10:06:24PM +0000, Jonathan McDowell wrote: > Fingerprint changes are currently allowed for anyone who doesn't have an > account in LDAP, which includes DMs without a guest account. However > this means that the DM keyring gets out of sync with what nm.debian.org > thinks is the state of the world. "hibby" is a good example of this.
I changed hibby back to the key he had before. He clearly wasn't using
his new one, and his change was fairly old. The most similar case now
is tkren, see below.
We have 3 other cases right now:
* kaction:
old DM key revoked, currently running for DD with a new key
- I asked him to start the key migration with keyring-maint
* weinholt:
DD returning from retirement; he had to add a new 4096R key as his
past 1024D was no good anymore. We will have just to wait for this,
but how would you have handled it from the keyring-maint side? I
don't believe you'd have liked a "emeritus key rollover" :P
* tkren:
DM who tried to apply for DD with a different key.
> We shouldn't allow DMs to change their fingerprint via nm.debian.org;
> once you're part of the project you should go through the usual keyring
> replacement process.
Enrico told me that the ability to becoming a DD with a key different
than the one used while being a DM is a feature (i.e., on the
keyring-maint side it looks like "add new dd key + remove dm key"
instead of "move key from dm to dd"), and it has been done in the past.
I'm not sure it's a good excuse, and I kind of agree with noodles here;
however, I also don't think prospective applicants should need to wait
for the monthly update to start a process if they want or need a new
key
--
regards,
Mattia Rizzolo
GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`.
more about me: https://mapreri.org : :' :
Launchpad user: https://launchpad.net/~mapreri `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia `-
signature.asc
Description: PGP signature
