From: "Tobin C. Harding" <me@tobin.cc>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: LKML <linux-kernel@vger.kernel.org>,
Konstantin Ryabitsev <konstantin@linuxfoundation.org>
Subject: Re: leaking_addresses script..
Date: Thu, 16 Nov 2017 08:33:13 +1100 [thread overview]
Message-ID: <20171115213313.GJ19069@eros> (raw)
In-Reply-To: <CA+55aFy7Fw-5U_i94P65sAuNDQtAjGRtivY-s3M5JaRjro2bfg@mail.gmail.com>
On Wed, Nov 15, 2017 at 01:20:20PM -0800, Linus Torvalds wrote:
> On Wed, Nov 15, 2017 at 1:11 PM, Tobin C. Harding <me@tobin.cc> wrote:
> >
> > Linus I'm not in the web of trust, pulling a tag signed by an _unknown_
> > key is not secure is it? Would it not be better to get into the web of
> > trust first before requesting you pull any code from me.
>
> Oh, I absolutely take signed pulls from new people who haven't gotten
> their keys with a full chain of trust to me..
Awesome, new tag signed pull request to come.
> I do it for a few different reasons:
>
> - the real trust is *never* in the key. People who trust
> technological measures are morons. You trust *people*, not keys. The
> technical measures are a shorthand and a help, not the basis.
>
> - I can just check the code
>
> - even if you never get your key signed by anybody else, it's still a
> sort of "identity" in the sense of me getting the pull requests from
> the same person (or key controlling group)
>
> - you probably *will* get your key signed by somebody else later, and
> it's all good, and that will show even in the commits before you got
> the signing done.
>
> It's not like we require that people send emailed patches with pgp
> signing either.
>
> So I require keys for pull requests even if I can't see the full chain
> of trust simply because of those two last issues: it's still an
> identity, and one that I expect will eventually be signed.
Thanks for taking the time it explain things to me. Please expect all
future 'process' mistakes by myself to come in multiples - I know you are
so quick on the email as soon as I notice a mistake I rush to fix it,
usually botching it again :)
Again, thanks,
Tobin.
next prev parent reply other threads:[~2017-11-15 21:33 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CA+55aFzMTSEZ3K6bX97yBGds56LTqRG4CTzqfpoWduQhsoRoNw@mail.gmail.com>
[not found] ` <20171113030918.GE11398@eros>
[not found] ` <CA+55aFwLdjw-usHa2XYke1ULRz_HNTLuCrMz87Ci_0=90uyAsQ@mail.gmail.com>
2017-11-15 21:11 ` leaking_addresses script Tobin C. Harding
2017-11-15 21:20 ` Linus Torvalds
2017-11-15 21:33 ` Tobin C. Harding [this message]
2017-11-15 21:31 ` Konstantin Ryabitsev
2017-11-16 1:59 ` Tobin C. Harding
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171115213313.GJ19069@eros \
--to=me@tobin.cc \
--cc=konstantin@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.