From: "Tobin C. Harding" <me@tobin.cc>
To: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: leaking_addresses script..
Date: Thu, 16 Nov 2017 12:59:54 +1100 [thread overview]
Message-ID: <20171116015954.GC32637@eros> (raw)
In-Reply-To: <20171115213156.pw4v4nvrw4whi3nq@gmail.com>
On Wed, Nov 15, 2017 at 04:31:56PM -0500, Konstantin Ryabitsev wrote:
> On Thu, Nov 16, 2017 at 08:11:24AM +1100, Tobin C. Harding wrote:
> >On Tue, Nov 14, 2017 at 02:45:59PM -0800, Linus Torvalds wrote:
> >>On Tue, Nov 14, 2017 at 1:03 PM, Tobin C. Harding <me@tobin.cc> wrote:
> >>>
> >>> I did not sign the tag, it looks like you have not processed this yet.
> >>> Do you want me to re-do the pull request on a signed tag?
> >>
> >>When pulling from github? Absolutely.
> >
> >Linus I'm not in the web of trust, pulling a tag signed by an _unknown_
> >key is not secure is it? Would it not be better to get into the web of
> >trust first before requesting you pull any code from me.
>
> Many kernel developers use "Trust on First Use" (TOFU) approach, which is
> not unreasonable -- it's what ssh has been using for the past couple of
> decades. In the end, the goal of tag signing is not to verify your
> *identity* but to verify that Tobin C. Harding from today is the same Tobin
> C. Harding whose code was reviewed and merged 3 months ago.
Cool.
> >Also, once I get in the web of trust I can apply to get my tree hosted
> >on git.kernel.org so you don't have to pull from GitHub.
>
> We have different rules for issuing actual accounts at kernel.org. We *do*
> rely on the web of trust, since I personally have no way of verifying who is
> a real developer and who isn't. Even then, I don't really care about your
> identity as much as I need to have assurances from other members of
> kernel.org that they have worked with you previously and they can vouch that
> you are their fellow kernel developer.
I'll sort it out and get back to you.
thanks,
Tobin.
prev parent reply other threads:[~2017-11-16 2:00 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CA+55aFzMTSEZ3K6bX97yBGds56LTqRG4CTzqfpoWduQhsoRoNw@mail.gmail.com>
[not found] ` <20171113030918.GE11398@eros>
[not found] ` <CA+55aFwLdjw-usHa2XYke1ULRz_HNTLuCrMz87Ci_0=90uyAsQ@mail.gmail.com>
2017-11-15 21:11 ` leaking_addresses script Tobin C. Harding
2017-11-15 21:20 ` Linus Torvalds
2017-11-15 21:33 ` Tobin C. Harding
2017-11-15 21:31 ` Konstantin Ryabitsev
2017-11-16 1:59 ` Tobin C. Harding [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171116015954.GC32637@eros \
--to=me@tobin.cc \
--cc=konstantin@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.