Do we allow DMs as well, or only uploading DDs?

[umlaeute]

the README of the Debian GH orga says:

.github/profile/README.md

Lines 22 to 24 in 4b668ce

	The signature needs to be made with your PGP key currently in the
	Debian keyring.
	All active Debian Developers will be approved.

there's a github action in place that tries to enforce this policy, by automatically closing applications that are not from "a Debian person".
the test that is currently performed is, whether the applicant is able to sign some text with a key that is available via https://keyring.debian.org/

as the author of the github action, i took it for granted that:

• the set of All active Debian Developers is identical to the set of owners of a PGP key currently in the Debian keyring
• any key that is in the Debian keyring can be obtained from hkp://keyring.debian.org/

recently someone applied for membership in the Debian GH-organization:

• please add me to this organization #89

obviously they are Debian Maintainers but not Debian Developers (in the strict sense), which means:

• the key they used to sign the application form can be found on hkp://keyring.debian.org/
• the key (as obtained from the keyring) does not contain a @debian.org email address.
  I don't think it is required to actively add your @debian.org address to your key (in the debian-keyring). however, this triggered closer inspection of the application
• neither the key, nor any email associated with it (nor the username, as given in the application) could be found on https://db.debian.org/ - leading to the question: "is this a valid application"?

so I'd like to clarify which people are allowed in this GH organization:

• just "DD (uploading)"
• anybody on the keyring as served by hkp://keyring.debian.org/
  (I did some research, but I'm afraid I still do not know which group of keys exactly are served via keyring.debian.org)
• something in between? (e.g. "DDs(uploading)+DDs(nonuploading)")

the README should be updated to clarify this.

[umlaeute]

ping @charles-plessy , as you somehow triggered this :-)

as a sidenote: personally I would be fine with allowing any "Debian project Member.", including Debian Maintainers.
in my understanding this means that we could accept anybody who managed to get their keys into keyring.debian.org (making this the canonical source, rather than e.g. db.debian.org).
To quote https://keyring.debian.org/

keyring.debian.org only deals with keys for Debian project Member. Please do not send add requests for your key if you are not an existing DD or DM; the Debian Account Managers will submit the key add request for new members when they successfully complete the New Member process.

[charles-plessy]

Hi @umlaeute and everybody,

first, thank you very much for all the work you did and you do for this GitHub group.

When I rescued it, I expected to use it to host forks of upstream sources of packages that I maintain, when I would want to propose a patch as a pull request, so that I would not use it under my personal GitHub ID, in order to minimise my footprint of using a proprietary platform in the course of contributing to Debian and Free software.

In the end, as far as I remember I never used it.

Still, I think that it is important that the main purpose of this group remains to be a communication channel for the convenience of our upstreams. Within this vision, it does not matter if the members of the group are DDs or DMs.

Actually, given the little use I have and given how great your work is, it has been aproximately a year that I have been considering to just retire from the admin group and leave it to you to steer it...

[charles-plessy]

Acutally, @umlaeute , I see that you are not admin of the Debian group. Would you like to swap roles with me?

[kpcyrd]

For context, as the person in question, this is my DDPO. :)

[mapreri]

Just dumping data, within the GH org we have both a "DD" team and a "DM" team (they offer no difference besides grouping, and they are not kept up2date when people move so it's not that important or precise), and we have 6 current members in that team.

I think it's just fine to add DMs in the debian github org..... if the concern is permissions… I just try to compare this to what used to be collab-main in alioth and I'd say we are doing great! /o\