Intent to become a Debian Maintainer (DM)

Hi

This is my declaration of intent to become a Debian Maintainer [0].
I have read the Social Contract, Debian Free Software Guidelines and
Debian Machine Usage Policy and agree with all of them.
Currently, I maintain the packages
 o giplet
 o tuxcmd
 o tuxcmd-modules
and have open ITPs for media-applet and udav (which is currently
reviewed).
My GnuPG key 518DA394 is signed by the Debian Developers:
 o Adrian von Bidder (92082481)
 o Daniel Lutz (14E06AAF)
I look forward to becoming a Debian Maintainer. Thanks for your
attention.

Kind regards
Salvatore

 [0] http://wiki.debian.org/Maintainers

On Sun, May 10, 2009 at 12:27:19PM +0200, Salvatore Bonaccorso wrote:
> Currently, I maintain the packages
>  o giplet
>  o tuxcmd
>  o tuxcmd-modules

Sorry about the not complete list here:
Adding here also the small tool "bosh" which is now waiting in NEW and
was kindly uploaded/sponsored by Patrick Matthäi
<pmatthaei@...> (but as said, it didn't pass the NEW queue
yet).

So it's not yet in the archive, but maybe I can also add it to the
above list.

Bests
Salvatore

On Sun, May 10, 2009 at 6:27 PM, Salvatore Bonaccorso
<salvatore.bonaccorso@...> wrote:

> My GnuPG key 518DA394 is signed by the Debian Developers:

0x518DA394 is a 1024-bit DSA key, you might want to switch to a new key:

http://www.debian-administration.org/users/dkg/weblog/48

In addition, you may want to set a key expiry date.

--
bye,
pabs

http://wiki.debian.org/PaulWise


--
To UNSUBSCRIBE, email to debian-newmaint-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

Hi Paul

On Mon, May 11, 2009 at 10:42:21AM +0800, Paul Wise wrote: Thanks again for the pointers. I will go then first through the
migration process of the key, but it might unfortunately take me some
times before I have probably again at least one signature from a
Debian developer.

Bests
Salvatore

On 05/10/2009 10:42 PM, Paul Wise wrote:
> On Sun, May 10, 2009 at 6:27 PM, Salvatore Bonaccorso
> <salvatore.bonaccorso@...> wrote:
>
>> My GnuPG key 518DA394 is signed by the Debian Developers:
>
> 0x518DA394 is a 1024-bit DSA key, you might want to switch to a new key:
>
> http://www.debian-administration.org/users/dkg/weblog/48

As the author of this blog post (and as a DM, and as someone currently
in NM), i'd certainly be happy if new DMs (and those in process) would
consider it.  It'll put us all in a better position should SHA-1 become
more severely compromised.

But it shouldn't be any sort of binding requirement unless we're willing
to go through the usual policy procedure, so that reasonable people have
a chance to discuss the requirements.  We haven't seen anything like a
specific, demonstrated attack against our infrastructure, and rushing
into a requirement without discussion seems just as likely to end up
with poor requirements as it does more robust infrastructure.

Since the DM process has a mandatory 1-year renewal period (the "DM
ping"), any change in policy could take effect in a relatively short
time anyway.

So Salvatore, please consider the recommendations, but also feel free to
continue on the DM process (i believe you still need an advocate) with
the key you have (since it's already signed by two DDs), and consider
having a new key available before you get the chance to meet up with any
other DDs, so that you can have a stronger key in the DM keyring when
you get a chance.

> In addition, you may want to set a key expiry date.

I agree that reasonable adoption of key expiry is a minorly useful way
to stay on top of managing your digital identity, in particular to
protect it against an infinitely-valid-yet-unusable key in the event of
major hardware failure with no revocation certificate available.
However, due to the fact that a malicious keyholder can always extend
the expiration date, expiry doesn't do much against compromised keys.
Holding a revocation certificate in reserve is really the Right Way to
implement such a "kill switch" against a potentially-compromised key,
but i see no way to ensure that people do that responsibly without just
asking them if they have such a rev cert available and believing their
answer.

And for the purposes of becoming a DM, i think an expiration date (while
advisable) should not be required because we already have the (stronger)
"DM ping" requirement.

        --dkg

Hi Daniel

On Mon, May 11, 2009 at 01:24:47AM -0400, Daniel Kahn Gillmor wrote: I'm really appreciating your detailed explanation and your view on that.
I would anyway try to get again signatures from Adrian von Bidder and Daniel
Lutz on a new key, since they are both in the same country.

Yes you are correct, I still need an advocate for my application.

Many thanks and kind regards
Salvatore

Hi,

I support his application to become a Debian maintainer, because I
believe he has enough skills to manage the packages.

He did not choose easy packages to start (tuxcmd and plugins), but I
think he managed that quite good (even though there is one long opened
RC bug, but it is not because he would be unresponsive).

I hereby advocate Salvatore Bonaccorso application.

--
        Michal Čihař | http://cihar.com | http://blog.cihar.com

Hi,

I support his application to become a Debian maintainer, because I
believe he has enough skills to manage the packages.

Ho does good job maintaining his packages which I do regularly upload
and is really helpful in comaintaining geeqie.

--
        Michal Čihař | http://cihar.com | http://blog.cihar.com