From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933879Ab1JESXc (ORCPT ); Wed, 5 Oct 2011 14:23:32 -0400 Received: from li9-11.members.linode.com ([67.18.176.11]:46515 "EHLO test.thunk.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932215Ab1JESXa (ORCPT ); Wed, 5 Oct 2011 14:23:30 -0400 Date: Wed, 5 Oct 2011 13:06:16 -0400 From: "Ted Ts'o" To: Adrian Bunk Cc: "Frank Ch. Eigler" , Valdis.Kletnieks@vt.edu, "H. Peter Anvin" , "Rafael J. Wysocki" , Linux Kernel Mailing List , Greg KH Subject: Re: kernel.org status: establishing a PGP web of trust Message-ID: <20111005170616.GD4297@thunk.org> Mail-Followup-To: Ted Ts'o , Adrian Bunk , "Frank Ch. Eigler" , Valdis.Kletnieks@vt.edu, "H. Peter Anvin" , "Rafael J. Wysocki" , Linux Kernel Mailing List , Greg KH References: <4E87B885.50005@zytor.com> <201110021354.57995.rjw@sisk.pl> <4E88A537.4010008@zytor.com> <20111003093239.GB25136@localhost.pp.htv.fi> <20111003180441.GD3072@localhost.pp.htv.fi> <34045.1317760188@turing-police.cc.vt.edu> <20111004223932.GA3460@localhost.pp.htv.fi> <20111004231730.GB17089@redhat.com> <20111005075438.GA29441@localhost.pp.htv.fi> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20111005075438.GA29441@localhost.pp.htv.fi> User-Agent: Mutt/1.5.20 (2009-06-14) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: tytso@thunk.org X-SA-Exim-Scanned: No (on test.thunk.org); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Oct 05, 2011 at 10:54:39AM +0300, Adrian Bunk wrote: > > What policy is now used at kernel.org now is exactly the question > I asked in [1], and where I'm still waiting for an answer from hpa. > > Other organizations like Debian have a clear and public policy on > what is required for the user identification part for uploading to > the archive [2], and I expect the same for kernel.org. Peter has already said "are you prepared to swear in court". Government issued ID is one way (although any US high school student knows how easy it is to get fake ID); personal knowledge of someone's speach patterns plus common history generated by years of talking to that person at conferences and/or concalls, is another way. When I bootstrapped Linus's key, he and I talked on the phone, and I knew him well enough by our conversation my recognizing his speach patterns that I was prepared to certify his key even though I've never seen his government ID. That being said, I also know and trust Jim Zemlin well enough to know trust that the person employed by the Linux Foundation had his ID and right to work checked per US employment law, and and that the person I talked to was the same person who is employed by the Linux Foundation. Realistically, I'm far more sure of Linus's identity than I would be of some random Debian developer who got his key signed after some quick impromptu verification of what appeared to be a governement-issued ID at some conference. :-) - Ted