Hi Santiago, I agree with you that key endorsements should be better documented. In fact, I had issues myself understanding the requirements/process as key endorsements are not even mentioned in https://wiki.debian.org/DebianMaintainer.
Other than with werdahias, to which I am exceedingly grateful for accepting to be my advocate, I have worked with other DDs during the last months, so I hope I'll be able to obtain at least one other key endorsement. As for the trust placed in my key, could you please let me know if you would consider what follows to satisfy the trust requirements, especially since you say that the endorsements must be strong ones and since I need to ask another DD? Of course, I am fully aware that it's ultimately DDs that must testify for these requirements, so please interpret my question as only aimed at better understanding the process, and what I may or may not ask, for lack of documentation. The key with fingerprint 50CF C9D5 E5BD E1CB CA57 FD7B 6DF0 08E7 0F28 CBF7 is the one I'm currently using on Salsa. My email address, from which I'm writing and which I use for all projects I'm involved in, is verified on Salsa. My first contribution on Salsa [1] dates back to May 26th and was reviewed by werdahias and others (werdahias wrote two months in the key endorsement message, but to this date it's actually exactly four). However, I did not start signing commits before I decided I wanted to become DM (a couple of months ago). Even then, I first started using an older RSA key I was using for other stuff, and then replaced it with a brand new ECC key, which I've now been using for around one month to sign my commits, and is the one with the fingerprint reported above (endorsed by werdahias after receiving proof that I own both keys). Both the keys are registered in Salsa, and the first key is signed by the second one to keep track of the link. I could of course also sign the second with the first if needed. In Salsa I've been a member of the Rust Team for exactly two months (albeit contributing for longer from outside) and I count ~ 100 contributions to debcargo-conf alone, plus many others to the non-rust components of the Asahi ecosystem packaged in Debian. Not all of these are signed, but a large majority of them is since early August at least, and they are linked to an account with a fairly longer contribution history, as noted above. Given the above, would an endorsement from two DDs attesting this kind of link between key and contributions be considered strong enough for consideration as DM? Best, NC
