Debian Project Leader election 2019: First call for votes

classic Classic list List threaded Threaded
25 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Debian Project Leader election 2019: First call for votes

Kurt Roeckx - Debian Project Secretary
Hi,

This is the first call for votes on the DPL election of 2019.

     Voting period starts      2019-04-07 00:00:00 UTC
     Votes must be received by 2019-04-20 23:59:59 UTC

This vote is being conducted as required by the Debian Constitution.
You may see the constitution at https://www.debian.org/devel/constitution.
For voting questions or problems contact [hidden email].

The details of the candidate's platform can be found at:
https://www.debian.org/vote/2019/platforms/

Also, note that you can get a fresh ballot any time before the end of
the vote by sending a mail to
   [hidden email]
with the subject "leader2019".

To vote you need to be a Debian Developer.


HOW TO VOTE

First, read the full text of the platform.

You might also want to read discussions with the candidates at
https://lists.debian.org/debian-vote/

To cast a vote, it is necessary to send this ballot filled out to a
dedicated e-mail address, in a signed message, as described below.
The dedicated email address this ballot should be sent to is:

  [hidden email]

The form you need to fill out is contained at the bottom of this
message, marked with two lines containing the characters
'-=-=-=-=-=-'. Do not erase anything between those lines, and do not
change the choice names.

There are 5 choices in the form, which you may rank with numbers between
1 and 5. In the brackets next to your preferred choice, place a 1.
Place a 2 in the brackets next to your next choice. Continue until you
reach your last choice.  Do not enter a number smaller than 1 or larger
than 5.

You may skip numbers, leave some choices unranked, and rank options
equally.  Unranked choices are considered equally the least desired
choices, and ranked below all ranked choices.

To vote "no, no matter what", rank "None Of The Above" as more desirable
than the unacceptable choices, or you may rank the "None Of The Above"
choice and leave choices you consider unacceptable blank.  (Note: if the
"None Of The Above" choice is unranked, then it is equal to all other
unranked choices, if any -- no special consideration is given to the
"None Of The Above" choice by the voting software).

Finally, mail the filled out ballot to: [hidden email].

Don't worry about spacing of the columns or any quote characters (">") that
your reply inserts.

NOTE: The vote must be GPG signed (or PGP signed) with your key that is
in the Debian keyring.  You may, if you wish, choose to send a signed,
encrypted ballot: use the vote key appended below for encryption.

The voting software (Devotee) accepts mail that either contains only an
unmangled OpenPGP message (RFC 2440 compliant), or a PGP/MIME mail
(RFC 3156 compliant).  To avoid problems I suggest you use PGP/MIME.

VOTING SECRECY

This is a secret vote. After the voting period there will be a record
of all the votes without the name of the voter. It will instead contain
a cryptographic hash. You will receive a secret after you have voted
that can be used to calculate that hash. This allows you to verify
that your vote is in the list.


- - -=-=-=-=-=- Don't Delete Anything Between These Lines =-=-=-=-=-=-=-=-
da28eb82-f68c-43f8-ad15-523d13b0fd5d
[ ] Choice 1: Joerg Jaspert
[ ] Choice 2: Jonathan Carter
[ ] Choice 3: Sam Hartman
[ ] Choice 4: Martin Michlmayr
[ ] Choice 5: None Of The Above
- - -=-=-=-=-=- Don't Delete Anything Between These Lines =-=-=-=-=-=-=-=-

----------------------------------------------------------------------

The responses to a valid vote shall be signed by the vote key created
for this vote. The public key for the vote, signed by the Project
secretary, is appended below.

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBFyotC8BEADB/xehZo0bUiiULBXtkkQKw4l06/s+VLITwKkZTobMM6ydVWzk
yuOkKSl/UyLfbcgtbOgWIYPYGFHBimZle0fbfl+lmpt8GHkwjAtSTkku42NSspq+
O/twU83VKitoBHraDZGsCFmDcbAlKCI0hUW01p3GP0CLWWBm55KkJRY3zBsxqvf2
PS5m/6TMFnZwn8hpYBz9miNk/LZhI+DaE//LHRMRU1MORUicGX+umtWb1vjjmiZH
wWlm6z07vZtzxqqYYJdJu96Qap8uWVqv5LJJBDmXDfG/KTse0+u/vAQq+Jmp/Xv0
FF3amq6+ZtcIiF0sybHitHc36sricGKKnkEdHm3D86J2PNmCFCijhmaN02TAPk6Q
LLSMGa7TWGM3FcVa2nn9oMSnkw53rd2eK5tTZRw0pP+xulMt+AhbC9Vn287ieWaz
Ws8rTc9g3kJQG+AUSU5VNTLp/zTH5KYXwd6F3tFQ9sAGpP7VnbTDmBfjZTYB+twG
ni2JOj49UGWKKEKWPXh7PvDmzRkytcqS9LU61OSiCwJg3Kipl+DNqkwOewLSFXew
LTP60S2VSGNG07z+OtfFvozChus+tMsQyMJCyHtvuMGExdV5nzBJ1M7I/eOCXkAj
QQLSG8tgQVSrS2pZcrxuiTFqlwjTUjYYK9YaNOi/yLRfW0fsskf7nJBtiQARAQAB
tCpEUEwgdm90ZSAyMDE5IDxsZWFkZXIyMDE5QHZvdGUuZGViaWFuLm9yZz6JAj4E
EwEIACgFAlyotC8CGwMFCQAVGAAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJ
EAjhC5hPla7XWroQAKqexeTYz7jLgTZZmO+QuUox5NQH+amb3fDL4Pzba1oZ1OMR
QRGpVVxC8oeRApzeF8rylQm0Dk/eNPTLj8J6kZRnYe0LeBuWFIlnI7RwCNz1fXnr
pOiozcpYJWjHJYaySWg9UkwXS4gkwtpu+xCtDtKoCKUUAUj+DQAP4emwpA8KXxy2
jM5OVOVvvXe1XWwmXpdRa/N3IlXB6bzIPXPdwlLiI89Bpg2Iv++ccp7hB0sqKn91
69TAB07Isst0XRKPo6dwQEwUgFJI1x994n9oRGsUlROfh6v3KUWKTW8n7TNTUy8r
J08qFxhIFaC4sHLii1veLrc0v/U5w2BmCx2cIStCyYiJEt+Py1osw49jlqMbQOkX
sDwyRQWDfgZ21wGJaXSC3GQ5O/PWPSkPz9eKyfkfCoJFf86zu3nkivt4SJ3okQja
sOVkC9svvKuCf1TKicxzb0RV2k53qGyOeHeaEirKK6pQ5bLKg83WGmQ60zNla3dL
WNF9zxpXKXNG2CkEmSd1+AQ/OXgQYxKxCR24qQ3JHzIb/D2gBYVkKGRrVkNnqE1u
uSgFYdVxqxzQiweukuJVssKs38pE1paKAdT0yPgh8F8d51Nt2InHyAZP1xP5AhtF
hsT4ZYE6IyDvqcknb2DJTy3B1tcP3vYVR1pzn8HfoHv/cXkbOnL2cgM3dpYwiQIz
BBABCgAdFiEE5eUlYN2RxVbdvaXQIGTFNkHCXl0FAlyotH4ACgkQIGTFNkHCXl2r
iw//TH/Fm0F7Kkomu9pj8HATfdaerQXvpF+CjTZZIk3zoCsl0JitJcDklGKyaHgF
APiQQbFmA5zrSR+xNEDzjQlBpAGuqoYZbflp0N5Gu093hloPdHRm7KgHwKHfsp5H
tLFUwgDEdbGuoWRT8lYCyIoe+qX5MDPdzj3fSl4M5lJC3ns0Ij41X9vzrtugXfon
iN7qkPJQBilOo1xsN3S7ccxr4Ly3ZuFq1lF9eL+VsK0ik0kM+PyRVlR0LEyEb2KG
bMRPpQYo+DfguHAehgwhscDbPJm9ImuGpI2a6zmTvBoY0RAHknRz/KISUO3tJJ9R
XHud0sUobt7b8YfYjDYKo/li2+tyVVtXsl76U9PCgUSBbq2CXHMsSUJc0Eh9UQei
tBtwD249bkT6l40Hvj0vdVeUxiAHkudtezBfwQznNJwj48zVj0qGEtxXZbKDfClp
uBysMrWaTXz2IEwpJfcw4PXWCx5Zh5xDjV7AywVXTwXaJgGN+gbKrlY4nb+2Dr6V
2e+2gVrqNVPYuqBYdrvsOfX4qKQfkCuLPJy5I9/LT6JaLXfbfXQ+H4HQ/Bp5Ja5V
/QgsVnVMC8sGnmCxHFCEwScooHclcRiFWelW8BeuxMRri8sH3Lsw11gF3Bx3aiSx
R+8kO6JtXEqC4rSTH7iCQpmDDIGJyNbay/6Kxjdo1ONzqb25Ag0EXKi0LwEQAL89
0dELcUqqgUG+1HZ6VCmGJNa54frs6GEZ6pmZio6umrpQEpMpRHEC7OxEoxW5qjHf
15trI+g3jMl89U6CF5FAtwBYxeIAA5tf7UKeuDiLs9wOysMo9kNhKSxudygRGCie
ff31CsU7cVLmCFOUIATHD7AcZwbGx2c/AHPl8iTEg+X0RunwmUN1zSiLdbNkJCKJ
XXQejoXozpPDQVYnrQeeSMSzX1pQJQUA2ljk2doVh9nY5gF+52tXsdtkXQwbChrQ
VokrOB4D1uIop1c1X5C6FuHOekVNBuBHFZnMA+o8FasUiVjDvMF4f5aJsuORQugX
edzt5J28z2rVVY3BiRNdtz1Imf4uabfNsneNJZ9m433KXOnWoH1WVH2GNzNa/uK3
RnINmzQT+eT8B/L6+YjHL2KlTGIRpjEPxWK/JcJXj4OyuEBnqrIO+RHXMeV+rEf1
zaaLOSBXImvY9bFHsePYkGlNW+ExfqAkAl+PrVSAEM2yn8QwktYU6gF/mxS7kPpx
RbZvaD+TAyEA2o2IK+KaF8I+hm/AqdNvOeccA8Xoqn+Y9v0KD6cKICSNMht/lb7x
A8/Qcj/pgemFNiSxfAN6Xwrx9EeojHpT0bChwTrfbTRYD9NbTC6K9RiJtTFlFeD5
J6MKHc5/k9uTEdpDqqpHoqGnfS5HcnbHHGAEGm6XABEBAAGJAiUEGAEIAA8FAlyo
tC8CGwwFCQAVGAAACgkQCOELmE+VrtdG1hAAn/kryRSJaScErpo+Z62zuggA1Izy
ASD7VfamQi88r45CmfJEVC5grfy5FwPYOf4GcH4lTwlptmLjrJY7iFLrZ+ketyEK
1YojdaQdaX8DA/b5yGKfI2LFSzAV4Kpe1MsE3mj0qJCHRceP0+XCcwkmlanpfy4D
uHTOPTC1xb4a0enHMsapOBttpl3VhwMwMDs1TibNACgNVJHGIM+GCoMXhuNxgj2a
uJKFTqW1Rg0sZiWFDPHdafp6xoKcBz+w+a7qUxLP9xeJ1gpiaeKo5bQEcvHKrQQB
PH2mICwLBgW5Vnm+GhO9ZjitLKUTaRjS99Ul84urKAMXj+U2C/O15FhHZXCx/8zL
eUHfH0It+zHLKxIlp804fKj34RCtkAW3B2YMRYag8CEOjIp3rnB+S2hcoCEsTS55
rNU/jSH38kgheuZiMXQ3WIgjNqrnZlQpxtsRl+WomQmT3LmmS1TmkXkiKlJeZto8
pMuPx3XUPnwXK2GUGL7EkiL/sZkT3fKcfbssuP8HIMdwHwXR8MKylJmZgIoKm8Is
eAs2Zs5wIuNYHH1TgUjPK9rfBhBqlZ0yxxqhDGJmjMmvCOP04xdOImpk84R1SGaB
52QDhdQhTNhlC1lDthfNlKtw3WNlVo3MIMSkWlNZoDLVCkCSPGigWaquhfkqZu0r
oyGF2tHwV5scSu0=
=2Tq2
-----END PGP PUBLIC KEY BLOCK-----


signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Failing GPG key (was: Re: Debian Project Leader election 2019: First call for votes)

Mathias Behrle-10
Hi all,

I have set up an expiry on my GPG key:
- originally set to 2019-04-07
- updated on 2019-04-08 to 2021-04-06 and pushed to various keyservers
  including keyring.debian.org.

But nevertheless my ballot is rejected, because obviously the old key is used
(s. the error report below).

What can I do to get my ballot tested against my actual updated key?

Do I have to wait for a keyring sync of the DD Keyring? When will it happen? Do
I have to get in touch with someone to get the key synced?

Thanks for your help
Mathias




        This is an error report about your vote [record msg00118.raw]
 for the vote
 "Debian Project Leader 2019 Election"
 sent in on Tue, 9 Apr 2019 09:38:59 +0200, with the subject
 "Re: Debian Project Leader election 2019: First call for votes"
 The message ID is <[hidden email]>.
 The message base is msg00118.
 The following errors were reported:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
There was a problem verifying the signature on the ballot.
FAILURE:
 Reason: Failed to find valid signed message in mail body
[GNUPG:] NEWSIG
[GNUPG:] KEYEXPIRED 1554624896
[GNUPG:] KEY_CONSIDERED AC297E5C46B9D0B61C717681D6D09BE48405BBF6 0
[GNUPG:] KEYEXPIRED 1554624896
[GNUPG:] SIG_ID mwgOoKbGDJEFQ223bQPUVlc417w 2019-04-09 1554795539
[GNUPG:] KEYEXPIRED 1554624896
[GNUPG:] KEY_CONSIDERED AC297E5C46B9D0B61C717681D6D09BE48405BBF6 0
[GNUPG:] EXPKEYSIG D6D09BE48405BBF6 Mathias Behrle <[hidden email]>
[GNUPG:] VALIDSIG AC297E5C46B9D0B61C717681D6D09BE48405BBF6 2019-04-09
        1554795539 0 4 0 1 10 01 AC297E5C46B9D0B61C717681D6D09BE48405BBF6


The ballot decrypted correctly, but was not signed
So this means that either the ballot was not signed at all
or that it uses RFC 1847 Encapsulation, where the ballot
is first signed as a multipart/signature body, and then
encrypted to form the final multipart/encrypted body --
but something went wrong in verifying the signature.
In either case, the ballot is being rejected.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
gpg: WARNING: unsafe permissions on homedir
'/srv/vote.debian.org/data/leader2019' gpg: encrypted with 4096-bit RSA key, ID
3593ACB276DCAEE3, created 2010-06-01 gpg: encrypted with 4096-bit RSA key, ID
F9DFF93A59673F5A, created 2019-04-06 [GNUPG:] ENC_TO F9DFF93A59673F5A 1
0[GNUPG:] KEY_CONSIDERED 58D81C29D1ABF34205B6F94C08E10B984F95AED7 0[GNUPG:]
KEY_CONSIDERED 58D81C29D1ABF34205B6F94C08E10B984F95AED7 0[GNUPG:] ENC_TO
3593ACB276DCAEE3 1 0[GNUPG:] KEYEXPIRED 1554624896[GNUPG:] KEY_CONSIDERED
AC297E5C46B9D0B61C717681D6D09BE48405BBF6 0[GNUPG:] NO_SECKEY
3593ACB276DCAEE3[GNUPG:] KEY_CONSIDERED
58D81C29D1ABF34205B6F94C08E10B984F95AED7 0[GNUPG:] BEGIN_DECRYPTION[GNUPG:]
DECRYPTION_INFO 2 9[GNUPG:] PLAINTEXT 62 1554795539 [GNUPG:]
DECRYPTION_OKAY[GNUPG:] GOODMDC[GNUPG:]
END_DECRYPTION-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

        This ballot is being rejected.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
        If you have already voted again, please ignore this.

 You can always get a new ballot by mailing
 [hidden email] with the subject "leader2019"

  The time now is Tue Apr  9 07:40:03 2019

        Thanks for your participation.

--

    Mathias Behrle
    PGP/GnuPG key availabable from any keyserver, ID: 0xD6D09BE48405BBF6
    AC29 7E5C 46B9 D0B6 1C71  7681 D6D0 9BE4 8405 BBF6

Reply | Threaded
Open this post in threaded view
|

Re: Failing GPG key (was: Re: Debian Project Leader election 2019: First call for votes)

Joerg Jaspert
On 15367 March 1977, Mathias Behrle wrote:

> - originally set to 2019-04-07
> - updated on 2019-04-08 to 2021-04-06 and pushed to various keyservers
>   including keyring.debian.org.

That was a bit late, but the right place to send to.

> Do I have to wait for a keyring sync of the DD Keyring? When will it happen?
> Do
> I have to get in touch with someone to get the key synced?

Yes, same as for the archive and uploads.

Updates send to keyring.d.o are not automagically included in the
keyrings the debian infratructure uses. It needs a keyring maint to run
some tool.

*Usually* they do not do that during running elections, just short before they
 start,
so you may be out of luck.

--
bye, Joerg

Reply | Threaded
Open this post in threaded view
|

Re: Failing GPG key (was: Re: Debian Project Leader election 2019: First call for votes)

Ian Jackson-2
Joerg Jaspert writes ("Re: Failing GPG key (was: Re: Debian Project Leader election 2019: First call for votes)"):
> *Usually* they do not do that during running elections, just short
> before they start, so you may be out of luck.

In that case I think the Secretary should make some alternative
arrangements, since (i) there is no doubt that Matthias is eligible to
vote (ii) it will be possible to verify the authenticity of Matthias's
vote, albeit by using an ad-hoc or alternative arrangement.

Ian.

--
Ian Jackson <[hidden email]>   These opinions are my own.

If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.

Reply | Threaded
Open this post in threaded view
|

Re: Failing GPG key (was: Re: Debian Project Leader election 2019: First call for votes)

Mattia Rizzolo-5
In reply to this post by Joerg Jaspert
On Tue, Apr 09, 2019 at 12:12:10PM +0200, Joerg Jaspert wrote:
> On 15367 March 1977, Mathias Behrle wrote:
>
> > - originally set to 2019-04-07
> > - updated on 2019-04-08 to 2021-04-06 and pushed to various keyservers
> >   including keyring.debian.org.
>
> That was a bit late, but the right place to send to.

FYI, the last keyring update was done on 2019-03-24, and they are
generally done monthly.
So, yes, late.

> Updates send to keyring.d.o are not automagically included in the
> keyrings the debian infratructure uses. It needs a keyring maint to run
> some tool.
>
> *Usually* they do not do that during running elections, just short before
> they start,
> so you may be out of luck.

You could try to contact the keyring-maint team, maybe they are willing
to do an ad-hoc update to include your key, but I expect you'll be out
of luck.

--
regards,
                        Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540      .''`.
more about me:  https://mapreri.org                             : :'  :
Launchpad user: https://launchpad.net/~mapreri                  `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia  `-

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Failing GPG key (was: Re: Debian Project Leader election 2019: First call for votes)

Mathias Behrle-10
In reply to this post by Joerg Jaspert
* Joerg Jaspert: " Re: Failing GPG key (was: Re: Debian Project Leader election
  2019: First call for votes)" (Tue, 09 Apr 2019 12:12:10 +0200):

Hi Joerg,

thanks for your answer.

> On 15367 March 1977, Mathias Behrle wrote:
>
> > - originally set to 2019-04-07
> > - updated on 2019-04-08 to 2021-04-06 and pushed to various keyservers
> >   including keyring.debian.org.  
>
> That was a bit late, but the right place to send to.

Yes, I got now aware of this.

> > Do I have to wait for a keyring sync of the DD Keyring? When will it
> > happen? Do
> > I have to get in touch with someone to get the key synced?  
>
> Yes, same as for the archive and uploads.
>
> Updates send to keyring.d.o are not automagically included in the
> keyrings the debian infratructure uses. It needs a keyring maint to run
> some tool.
>
> *Usually* they do not do that during running elections, just short before
> they start,
> so you may be out of luck.
If so then I think there is a clear gap in the procedures.

- What about DDs being approved just during the voting period? They should
  clearly be able to vote.
- What about DDs losing their right during the voting period? Should their
  ballots be valid?

Regarding the update of the expiration date I surely was late, but nevertheless
the procedure itself is considered best practice [1][2], so it is absolute
legitimate in my understanding.

To cover cases like mine it would probably be good practice to update the
keyring at least shortly before the end of the voting period. Of course I
understand very well that the workload on the keyring maintainers should
be kept at a reasonable size.

Anyway I will now contact KeyringMaint and Secretary to see if we can find a
way to solve the problem.

Thanks again
Mathias




[1]
https://riseup.net/en/security/message-security/openpgp/best-practices#use-an-expiration-date-less-than-two-years
[2] http://www.g-loaded.eu/2010/11/01/change-expiration-date-gpg-key/

--

    Mathias Behrle
    PGP/GnuPG key availabable from any keyserver, ID: 0xD6D09BE48405BBF6
    AC29 7E5C 46B9 D0B6 1C71  7681 D6D0 9BE4 8405 BBF6

attachment0 (884 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Failing GPG key (was: Re: Debian Project Leader election 2019: First call for votes)

Mathias Behrle-10
In reply to this post by Ian Jackson-2
* Ian Jackson: " Re: Failing GPG key (was: Re: Debian Project Leader election
  2019: First call for votes)" (Tue, 9 Apr 2019 12:13:32 +0100):

Hi Ian,

> Joerg Jaspert writes ("Re: Failing GPG key (was: Re: Debian Project Leader
> election 2019: First call for votes)"):
> > *Usually* they do not do that during running elections, just short
> > before they start, so you may be out of luck.  
>
> In that case I think the Secretary should make some alternative
> arrangements, since (i) there is no doubt that Matthias is eligible to
> vote (ii) it will be possible to verify the authenticity of Matthias's
> vote, albeit by using an ad-hoc or alternative arrangement.

Indeed and thanks for confirming. In principle my refused ballots are valid
(i.e. signed with a valid key), but they are checked against an invalid key.

As previously said in my answer to Joerg I will try to find a way with
KeyringMaint and/or Secretary to get a solution.

Cheers
Mathias


--

    Mathias Behrle
    PGP/GnuPG key availabable from any keyserver, ID: 0xD6D09BE48405BBF6
    AC29 7E5C 46B9 D0B6 1C71  7681 D6D0 9BE4 8405 BBF6

Reply | Threaded
Open this post in threaded view
|

Re: Failing GPG key (was: Re: Debian Project Leader election 2019: First call for votes)

Mathias Behrle-10
In reply to this post by Mattia Rizzolo-5
* Mattia Rizzolo: " Re: Failing GPG key (was: Re: Debian Project Leader
  election 2019: First call for votes)" (Tue, 9 Apr 2019 13:16:43 +0200):

Hi Mattia,

> On Tue, Apr 09, 2019 at 12:12:10PM +0200, Joerg Jaspert wrote:
> > On 15367 March 1977, Mathias Behrle wrote:
> >  
> > > - originally set to 2019-04-07
> > > - updated on 2019-04-08 to 2021-04-06 and pushed to various keyservers
> > >   including keyring.debian.org.  
> >
> > That was a bit late, but the right place to send to.  
>
> FYI, the last keyring update was done on 2019-03-24, and they are
> generally done monthly.
> So, yes, late.
>
> > Updates send to keyring.d.o are not automagically included in the
> > keyrings the debian infratructure uses. It needs a keyring maint to run
> > some tool.
> >
> > *Usually* they do not do that during running elections, just short before
> > they start,
> > so you may be out of luck.  
>
> You could try to contact the keyring-maint team, maybe they are willing
> to do an ad-hoc update to include your key, but I expect you'll be out
> of luck.
Also thanks to you, at least it is now clear to me what happened and what to
try.

Cheers
Mathias

--

    Mathias Behrle
    PGP/GnuPG key availabable from any keyserver, ID: 0xD6D09BE48405BBF6
    AC29 7E5C 46B9 D0B6 1C71  7681 D6D0 9BE4 8405 BBF6

attachment0 (884 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Failing GPG key (was: Re: Debian Project Leader election 2019: First call for votes)

Joerg Jaspert
In reply to this post by Mathias Behrle-10
On 15367 March 1977, Mathias Behrle wrote:

>> *Usually* they do not do that during running elections, just short before
>> they start, so you may be out of luck.
> If so then I think there is a clear gap in the procedures.

That may be, though they are like this for a long time now.

> - What about DDs being approved just during the voting period? They should
>   clearly be able to vote.

It has always been avoided to add new DDs during voting period to avoid
accusations of "rig a vote by letting the right people join at that
moment".

> - What about DDs losing their right during the voting period? Should their
>   ballots be valid?

That also hasn't happened that I can remember.

> To cover cases like mine it would probably be good practice to update the
> keyring at least shortly before the end of the voting period. Of course I
> understand very well that the workload on the keyring maintainers should
> be kept at a reasonable size.

I can see value in both ways, but I keep myself out of this. Not for me
to say, I just reported on the current state as I know it.

--
bye, Joerg

Reply | Threaded
Open this post in threaded view
|

Re: Failing GPG key (was: Re: Debian Project Leader election 2019: First call for votes)

Mathias Behrle-10
* Joerg Jaspert: " Re: Failing GPG key (was: Re: Debian Project Leader election
  2019: First call for votes)" (Tue, 09 Apr 2019 16:44:43 +0200):

> On 15367 March 1977, Mathias Behrle wrote:
>
> >> *Usually* they do not do that during running elections, just short before
> >> they start, so you may be out of luck.  
> > If so then I think there is a clear gap in the procedures.  
>
> That may be, though they are like this for a long time now.

I understand, despite long standing procedures don't justify themselves only for
their long time being.

> > - What about DDs being approved just during the voting period? They should
> >   clearly be able to vote.  
>
> It has always been avoided to add new DDs during voting period to avoid
> accusations of "rig a vote by letting the right people join at that
> moment".

Could as well be phrased: "rig a vote by not letting in the right people";)

> > - What about DDs losing their right during the voting period? Should their
> >   ballots be valid?  
>
> That also hasn't happened that I can remember.

And hopefully won't in the future. But the possibility exists.
 
> > To cover cases like mine it would probably be good practice to update the
> > keyring at least shortly before the end of the voting period. Of course I
> > understand very well that the workload on the keyring maintainers should
> > be kept at a reasonable size.  
>
> I can see value in both ways, but I keep myself out of this. Not for me
> to say, I just reported on the current state as I know it.

Thanks again,
Mathias



--

    Mathias Behrle
    PGP/GnuPG key availabable from any keyserver, ID: 0xD6D09BE48405BBF6
    AC29 7E5C 46B9 D0B6 1C71  7681 D6D0 9BE4 8405 BBF6

Reply | Threaded
Open this post in threaded view
|

Re: Failing GPG key (was: Re: Debian Project Leader election 2019: First call for votes)

Roberto C. Sánchez-2
On Tue, Apr 09, 2019 at 06:21:52PM +0200, Mathias Behrle wrote:

> * Joerg Jaspert: " Re: Failing GPG key (was: Re: Debian Project Leader election
>   2019: First call for votes)" (Tue, 09 Apr 2019 16:44:43 +0200):
>
> > On 15367 March 1977, Mathias Behrle wrote:
> >
> > > - What about DDs being approved just during the voting period? They should
> > >   clearly be able to vote.  
> >
> > It has always been avoided to add new DDs during voting period to avoid
> > accusations of "rig a vote by letting the right people join at that
> > moment".
>
> Could as well be phrased: "rig a vote by not letting in the right people";)
>
That would only be the case if the key were removed intentionally by
someone other than the owner of the key.  I have an expiry set on my own
key and that therefore makes me, and only me, responsible to ensure that
I update the expiry when necessary to avoid problems.

Regards,

-Roberto

--
Roberto C. Sánchez

Reply | Threaded
Open this post in threaded view
|

Re: Failing GPG key (was: Re: Debian Project Leader election 2019: First call for votes)

Kurt Roeckx
In reply to this post by Mathias Behrle-10
On Tue, Apr 09, 2019 at 10:19:10AM +0200, Mathias Behrle wrote:

> Hi all,
>
> I have set up an expiry on my GPG key:
> - originally set to 2019-04-07
> - updated on 2019-04-08 to 2021-04-06 and pushed to various keyservers
>   including keyring.debian.org.
>
> But nevertheless my ballot is rejected, because obviously the old key is used
> (s. the error report below).
>
> What can I do to get my ballot tested against my actual updated key?
>
> Do I have to wait for a keyring sync of the DD Keyring? When will it happen? Do
> I have to get in touch with someone to get the key synced?

So as already explain, I get a keyring from the keyring
maintainers. This is not the same as the one in the archive, but
their current working version. If they update it, it also gets
updated on things like ftp-master and vote, but that might take
a few hours. I think most of this is documented somewhere, but
I currently can't find it.

In my expierence, they do update the keyring during the voting
period because each year some people run into this problem. I
suggest you that you send the updated key to keyring.debian.org
and contact them in case you have this problem.

There can be various reason why people that have the right to vote
are not able to do so. If that reason can't be resolved, I'm
willing to manually add the vote. I prefer not to do this, and
have never done so before. If it really can't be resolved, you
can contact the secretary. I will have at least the following
rules for such vote casts:
- The vote needs to be cast during the voting period.
- You should have a good reason why the normal procedure doesn't
  work for you
- I need some way to authenticate you


Kurt

Reply | Threaded
Open this post in threaded view
|

Re: Failing GPG key

Russ Allbery-2
In reply to this post by Mathias Behrle-10
Mathias Behrle <[hidden email]> writes:

> I have set up an expiry on my GPG key:
> - originally set to 2019-04-07
> - updated on 2019-04-08 to 2021-04-06 and pushed to various keyservers
>   including keyring.debian.org.

All discussion of the right way to handle keyring updates for a vote
aside, this is a good reminder that one of the drawbacks of setting key
expirations is that bumping the expiration date (or adding a new subkey)
is a bit more involved than it may appear and takes a while to propagate.

I bump the expiration date or generate a new subkey six months before the
current one will expire, and immediately push the new one to both the
general keyserver network and to keyring.debian.org.  Since I started
doing that, I've not had any problems; before that, I would occasionally
have trouble uploading to the backports archive or other issues due to
slower keyring updates.  Unless you have a specific application in mind
for a faster key expiration, I can recommend that practice as one that
seems to avoid issues.

(This is not to imply in any way that this is your fault.  I found this
aspect of things quite unintuitive myself.)

--
Russ Allbery ([hidden email])               <http://www.eyrie.org/~eagle/>

Reply | Threaded
Open this post in threaded view
|

Re: Failing GPG key (was: Re: Debian Project Leader election 2019: First call for votes)

Ian Jackson-2
In reply to this post by Kurt Roeckx
Kurt Roeckx writes ("Re: Failing GPG key (was: Re: Debian Project Leader election 2019: First call for votes)"):
> [explanations]
...
> [advice]
...
> [offer of help]

Thank you for this helpful and constructive response.

Ian.

--
Ian Jackson <[hidden email]>   These opinions are my own.

If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.

Reply | Threaded
Open this post in threaded view
|

Re: Failing GPG key (was: Re: Debian Project Leader election 2019: First call for votes)

Kurt Roeckx
In reply to this post by Kurt Roeckx
On Tue, Apr 09, 2019 at 07:10:04PM +0200, Kurt Roeckx wrote:

> On Tue, Apr 09, 2019 at 10:19:10AM +0200, Mathias Behrle wrote:
> > Hi all,
> >
> > I have set up an expiry on my GPG key:
> > - originally set to 2019-04-07
> > - updated on 2019-04-08 to 2021-04-06 and pushed to various keyservers
> >   including keyring.debian.org.
> >
> > But nevertheless my ballot is rejected, because obviously the old key is used
> > (s. the error report below).
> >
> > What can I do to get my ballot tested against my actual updated key?
> >
> > Do I have to wait for a keyring sync of the DD Keyring? When will it happen? Do
> > I have to get in touch with someone to get the key synced?
>
> So as already explain, I get a keyring from the keyring
> maintainers. This is not the same as the one in the archive, but
> their current working version. If they update it, it also gets
> updated on things like ftp-master and vote, but that might take
> a few hours. I think most of this is documented somewhere, but
> I currently can't find it.
>
> In my expierence, they do update the keyring during the voting
> period because each year some people run into this problem. I
> suggest you that you send the updated key to keyring.debian.org
> and contact them in case you have this problem.
>
> There can be various reason why people that have the right to vote
> are not able to do so. If that reason can't be resolved, I'm
> willing to manually add the vote. I prefer not to do this, and
> have never done so before. If it really can't be resolved, you
> can contact the secretary. I will have at least the following
> rules for such vote casts:
> - The vote needs to be cast during the voting period.
> - You should have a good reason why the normal procedure doesn't
>   work for you
> - I need some way to authenticate you

This will also at least have as result that I need to disable
various things like automatic sending of the results, because it
would leak things about the vote(s) I needed to manually add.


Kurt

Reply | Threaded
Open this post in threaded view
|

Re: Failing GPG key (was: Re: Debian Project Leader election 2019: First call for votes)

Mathias Behrle-10
In reply to this post by Roberto C. Sánchez-2
* Roberto C. Sánchez: " Re: Failing GPG key (was: Re: Debian Project Leader
  election 2019: First call for votes)" (Tue, 9 Apr 2019 13:03:43 -0400):

> On Tue, Apr 09, 2019 at 06:21:52PM +0200, Mathias Behrle wrote:
> > * Joerg Jaspert: " Re: Failing GPG key (was: Re: Debian Project Leader
> > election 2019: First call for votes)" (Tue, 09 Apr 2019 16:44:43 +0200):
> >  
> > > On 15367 March 1977, Mathias Behrle wrote:
> > >  
>  [...]  
> > >
> > > It has always been avoided to add new DDs during voting period to avoid
> > > accusations of "rig a vote by letting the right people join at that
> > > moment".  
> >
> > Could as well be phrased: "rig a vote by not letting in the right people";)
> >  
> That would only be the case if the key were removed intentionally by
> someone other than the owner of the key.  I have an expiry set on my own
> key and that therefore makes me, and only me, responsible to ensure that
> I update the expiry when necessary to avoid problems.

Could it be that you missed the smiley and that we talked in the cited
paragraph about something completely different than key expiries?

Apart from that you are completely right in assuming my responsibility.

Cheers
Mathias


--

    Mathias Behrle ✧ Debian Developer
    PGP/GnuPG key availabable from any keyserver, ID: 0xD6D09BE48405BBF6
    AC29 7E5C 46B9 D0B6 1C71  7681 D6D0 9BE4 8405 BBF6

Reply | Threaded
Open this post in threaded view
|

Re: Failing GPG key (was: Re: Debian Project Leader election 2019: First call for votes)

Mathias Behrle-10
In reply to this post by Kurt Roeckx
* Kurt Roeckx: " Re: Failing GPG key (was: Re: Debian Project Leader election
  2019: First call for votes)" (Tue, 9 Apr 2019 19:10:04 +0200):

> In my expierence, they do update the keyring during the voting
> period because each year some people run into this problem. I
> suggest you that you send the updated key to keyring.debian.org
> and contact them in case you have this problem.

That's already done.

If the keyring is updated once more during the voting period this will be
perfectly fine for me and I will be in position to vote again.
 

> There can be various reason why people that have the right to vote
> are not able to do so. If that reason can't be resolved, I'm
> willing to manually add the vote. I prefer not to do this, and
> have never done so before. If it really can't be resolved, you
> can contact the secretary. I will have at least the following
> rules for such vote casts:
> - The vote needs to be cast during the voting period.
> - You should have a good reason why the normal procedure doesn't
>   work for you
> - I need some way to authenticate you

Well noted, this will be kind of last ressort.

Thanks for your help,
Mathias


--

    Mathias Behrle ✧ Debian Developer
    PGP/GnuPG key availabable from any keyserver, ID: 0xD6D09BE48405BBF6
    AC29 7E5C 46B9 D0B6 1C71  7681 D6D0 9BE4 8405 BBF6

Reply | Threaded
Open this post in threaded view
|

Re: Failing GPG key

Mathias Behrle-10
In reply to this post by Russ Allbery-2
* Russ Allbery: " Re: Failing GPG key" (Tue, 09 Apr 2019 10:17:15 -0700):

> All discussion of the right way to handle keyring updates for a vote
> aside, this is a good reminder that one of the drawbacks of setting key
> expirations is that bumping the expiration date (or adding a new subkey)
> is a bit more involved than it may appear and takes a while to propagate.
>
> I bump the expiration date or generate a new subkey six months before the
> current one will expire, and immediately push the new one to both the
> general keyserver network and to keyring.debian.org.  Since I started
> doing that, I've not had any problems; before that, I would occasionally
> have trouble uploading to the backports archive or other issues due to
> slower keyring updates.  Unless you have a specific application in mind
> for a faster key expiration, I can recommend that practice as one that
> seems to avoid issues.

I will do exactly like you explained in the future. The time frames needed to
get seamless functionality are indeed substantially longer than I had expected
in the first place.
 
> (This is not to imply in any way that this is your fault.  I found this
> aspect of things quite unintuitive myself.)

Thanks for the further aspects to keep in mind. As for me I *was* too late in
resetting the expiry. Shit happens. I don't think that will happen again;)

Cheers
Mathias

--

    Mathias Behrle ✧ Debian Developer
    PGP/GnuPG key availabable from any keyserver, ID: 0xD6D09BE48405BBF6
    AC29 7E5C 46B9 D0B6 1C71  7681 D6D0 9BE4 8405 BBF6

Reply | Threaded
Open this post in threaded view
|

Re: Failing GPG key (was: Re: Debian Project Leader election 2019: First call for votes)

Roberto C. Sánchez-2
In reply to this post by Mathias Behrle-10
On Tue, Apr 09, 2019 at 11:55:08PM +0200, Mathias Behrle wrote:

> * Roberto C. Sánchez: " Re: Failing GPG key (was: Re: Debian Project Leader
>   election 2019: First call for votes)" (Tue, 9 Apr 2019 13:03:43 -0400):
>
> > On Tue, Apr 09, 2019 at 06:21:52PM +0200, Mathias Behrle wrote:
> > > * Joerg Jaspert: " Re: Failing GPG key (was: Re: Debian Project Leader
> > > election 2019: First call for votes)" (Tue, 09 Apr 2019 16:44:43 +0200):
> > >  
> > > > On 15367 March 1977, Mathias Behrle wrote:
> > > >  
> >  [...]  
> > > >
> > > > It has always been avoided to add new DDs during voting period to avoid
> > > > accusations of "rig a vote by letting the right people join at that
> > > > moment".  
> > >
> > > Could as well be phrased: "rig a vote by not letting in the right people";)
> > >  
> > That would only be the case if the key were removed intentionally by
> > someone other than the owner of the key.  I have an expiry set on my own
> > key and that therefore makes me, and only me, responsible to ensure that
> > I update the expiry when necessary to avoid problems.
>
> Could it be that you missed the smiley and that we talked in the cited
> paragraph about something completely different than key expiries?
>
Yes it could.  I completely missed that.  My apologies if my response
was overly harsh.

Regards,

-Roberto

--
Roberto C. Sánchez

Reply | Threaded
Open this post in threaded view
|

Re: Failing GPG key (was: Re: Debian Project Leader election 2019: First call for votes)

Gunnar Wolf via nm
In reply to this post by Mathias Behrle-10
Hi,


<hat id="keyring-maint">
FWIW, I already sent Mathias a private mail about this, as he also
asked this privately :) But this seems to be of general interest, so...

> (...)
> > *Usually* they do not do that during running elections, just short before
> > they start,
> > so you may be out of luck.
>
> If so then I think there is a clear gap in the procedures.

We have actively tried hard *not* to do any updates during the
votes. Modifying the accepted set of keys in this time frame might
lead to devotee being confused regarding the votes it had marked as
valid (or rejected).

> - What about DDs being approved just during the voting period? They should
>   clearly be able to vote.
> - What about DDs losing their right during the voting period? Should their
>   ballots be valid?

Right. I am aware of both cases (well, of the second; given that key
addition is one of the last steps of an account creation, the first
case is basically impossible). We often did an upload on the day just
before a call for votes (we didn't this time, as we have adopted
during last year a time-based cycle which seems to work well and
reliably; keyring gets updated on the 24-25 every month).

As I said on the private mail: I am set to do the April keyring
upload. If the Secretary acknowledges this will cause no unforseen
effects on the already tallied votes, I see no issues with doing it a
couple of days earlier. But I am not familiar with devotee or other
issues that might rise, and I don't want to break vote processing for
others.

     - Gunnar.
</hat>

signature.asc (849 bytes) Download Attachment
12