From: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
To: "Tobin C. Harding" <me@tobin.cc>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: leaking_addresses script..
Date: Wed, 15 Nov 2017 16:31:56 -0500 [thread overview]
Message-ID: <20171115213156.pw4v4nvrw4whi3nq@gmail.com> (raw)
In-Reply-To: <20171115211124.GH19069@eros>
On Thu, Nov 16, 2017 at 08:11:24AM +1100, Tobin C. Harding wrote:
>On Tue, Nov 14, 2017 at 02:45:59PM -0800, Linus Torvalds wrote:
>> On Tue, Nov 14, 2017 at 1:03 PM, Tobin C. Harding <me@tobin.cc> wrote:
>> >
>> > I did not sign the tag, it looks like you have not processed this yet.
>> > Do you want me to re-do the pull request on a signed tag?
>>
>> When pulling from github? Absolutely.
>
>Linus I'm not in the web of trust, pulling a tag signed by an _unknown_
>key is not secure is it? Would it not be better to get into the web of
>trust first before requesting you pull any code from me.
Many kernel developers use "Trust on First Use" (TOFU) approach, which
is not unreasonable -- it's what ssh has been using for the past couple
of decades. In the end, the goal of tag signing is not to verify your
*identity* but to verify that Tobin C. Harding from today is the same
Tobin C. Harding whose code was reviewed and merged 3 months ago.
>Also, once I get in the web of trust I can apply to get my tree hosted
>on git.kernel.org so you don't have to pull from GitHub.
We have different rules for issuing actual accounts at kernel.org. We
*do* rely on the web of trust, since I personally have no way of
verifying who is a real developer and who isn't. Even then, I don't
really care about your identity as much as I need to have assurances
from other members of kernel.org that they have worked with you
previously and they can vouch that you are their fellow kernel
developer.
-K
next prev parent reply other threads:[~2017-11-15 21:32 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CA+55aFzMTSEZ3K6bX97yBGds56LTqRG4CTzqfpoWduQhsoRoNw@mail.gmail.com>
[not found] ` <20171113030918.GE11398@eros>
[not found] ` <CA+55aFwLdjw-usHa2XYke1ULRz_HNTLuCrMz87Ci_0=90uyAsQ@mail.gmail.com>
2017-11-15 21:11 ` leaking_addresses script Tobin C. Harding
2017-11-15 21:20 ` Linus Torvalds
2017-11-15 21:33 ` Tobin C. Harding
2017-11-15 21:31 ` Konstantin Ryabitsev [this message]
2017-11-16 1:59 ` Tobin C. Harding
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171115213156.pw4v4nvrw4whi3nq@gmail.com \
--to=konstantin@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=me@tobin.cc \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox