Answers to some common kernel.org account questions

[Greg KH <greg@kroah.com>]

[-- Attachment #1: Type: text/plain, Size: 2861 bytes --]

We (the kernel.org team) have noticed a fair amount of confusion about
the procedure for the reinstatement of kernel.org accounts.  In an
attempt to clarify the situation, we have put together the following FAQ
file.

WHAT ARE WE DOING AT THIS TIME?

The first priority for kernel.org is to get the git trees back on line
so that subsystem maintainers can publish their patch streams and get
them into the mainline.  Other functionalities, such as email and file
uploads, will be restored later, as time allows.

WHO IS ELIGIBLE FOR A KERNEL.ORG ACCOUNT?

At this time, we are only providing access to developers who previously
hosted git repositories on kernel.org, and whose repositories have shown
activity after February, 2011.  At a later time we will be able to
consider creating accounts for developers with inactive trees or who
have not had a kernel.org account in the past.

DO I NEED A KERNEL.ORG ACCOUNT?

Possession of a kernel.org account is *not* necessary for contributors
to the Linux kernel.  As always, changes can be contributed through
trees hosted elsewhere, by direct posting of patches to a relevant
mailing list, or through a subsystem maintainer's tree.

WHY DO I NEED A PGP KEY?

A properly-signed PGP key is required to obtain access to kernel.org.
The purpose of this key is not to replace the trust that we have built
in each other over years of collaborative work; it is, instead, a way of
safely passing credentials in a world where the community has simply
grown too large for us all to know each other.

WHAT IS A PROPERLY-SIGNED KEY?

Anybody can create a PGP key in anybody's name.  To avoid forgery of
keys, we require that keys used for access to kernel.org be a part of
the kernel's ring of trust.  Joining the ring of trust is done by having
your key signed by other, well-known developer keys.  So we encourage
you to obtain as many signatures as you can reasonably obtain on your
key from fellow kernel developers at upcoming conferences or developer
meetups.

Specific geographically-isolated developers who are unable to obtain the
requisite signatures will be considered for access on a case-by-case
basis.

WHAT ABOUT FILE UPLOADS?

The "robot signing" of uploaded files that was used in the past is no
longer considered to be sufficiently secure, so a new policy has been
instituted.  A new tool ("kup") has been developed to help with the
implementation of that policy; it works in a manner similar to the
upload system used by the Debian project.

The kup tool will require developers to sign files with their PGP key
prior to uploading to kernel.org.  This mechanism will keep the private
signing keys from ever being stored on kernel.org (or any other server).
More information will be made available once the file upload capability
is restored.


[-- Attachment #2: Type: application/pgp-signature, Size: 836 bytes --]