*shuffles around the desk looking for his keyring-maint hat*
*finds the hat and puts it on his head*
Ehem...
Sam Hartman dijo [Sun, Oct 03, 2021 at 11:00:30AM -0600]:
> It's very much about identity, but normally it's about identity in the
> sense of "I interacted with this person using this key for six months."
>
> I guess there's nothing wrong with an endorsement for a single
> interaction, but my understanding is that in deciding to approve key
> consistency checks, front desk is looking for a long history with a key,
> so a one-time endorsement is unlikely to hold much value on our side.
<keyring-maint>
I completely agree with Sam here. We can easily check whether a given
upload was signed by a given key.
However, as you know, the main way to assert your identity towards
Debian for a long-term commitment is... your GPG key. Key endorsements
were invented because of the difficulty to many of getting real-life
interactions with other developers, specially since the COVID-19
outbreak (but also due to living in a developer-space geographic
region).
We want endorsements to reflect you have had a real, meaningful
interaction WRT Debian with a {person,key} pair, helping assert that
said pair has held for a long enough time for Debian to grant
privileges to said person.
So... I would not be comfortable in accepting an identity assertion
based on a just-one-off endorsement.
</keyring-maint>
