From: "Tobin C. Harding" <me@tobin.cc>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: LKML <linux-kernel@vger.kernel.org>,
Konstantin Ryabitsev <konstantin@linuxfoundation.org>
Subject: Re: leaking_addresses script..
Date: Thu, 16 Nov 2017 08:33:13 +1100 [thread overview]
Message-ID: <20171115213313.GJ19069@eros> (raw)
In-Reply-To: <CA+55aFy7Fw-5U_i94P65sAuNDQtAjGRtivY-s3M5JaRjro2bfg@mail.gmail.com>
On Wed, Nov 15, 2017 at 01:20:20PM -0800, Linus Torvalds wrote:
> On Wed, Nov 15, 2017 at 1:11 PM, Tobin C. Harding <me@tobin.cc> wrote:
> >
> > Linus I'm not in the web of trust, pulling a tag signed by an _unknown_
> > key is not secure is it? Would it not be better to get into the web of
> > trust first before requesting you pull any code from me.
>
> Oh, I absolutely take signed pulls from new people who haven't gotten
> their keys with a full chain of trust to me..
Awesome, new tag signed pull request to come.
> I do it for a few different reasons:
>
> - the real trust is *never* in the key. People who trust
> technological measures are morons. You trust *people*, not keys. The
> technical measures are a shorthand and a help, not the basis.
>
> - I can just check the code
>
> - even if you never get your key signed by anybody else, it's still a
> sort of "identity" in the sense of me getting the pull requests from
> the same person (or key controlling group)
>
> - you probably *will* get your key signed by somebody else later, and
> it's all good, and that will show even in the commits before you got
> the signing done.
>
> It's not like we require that people send emailed patches with pgp
> signing either.
>
> So I require keys for pull requests even if I can't see the full chain
> of trust simply because of those two last issues: it's still an
> identity, and one that I expect will eventually be signed.
Thanks for taking the time it explain things to me. Please expect all
future 'process' mistakes by myself to come in multiples - I know you are
so quick on the email as soon as I notice a mistake I rush to fix it,
usually botching it again :)
Again, thanks,
Tobin.
next prev parent reply other threads:[~2017-11-15 21:33 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CA+55aFzMTSEZ3K6bX97yBGds56LTqRG4CTzqfpoWduQhsoRoNw@mail.gmail.com>
[not found] ` <20171113030918.GE11398@eros>
[not found] ` <CA+55aFwLdjw-usHa2XYke1ULRz_HNTLuCrMz87Ci_0=90uyAsQ@mail.gmail.com>
2017-11-15 21:11 ` leaking_addresses script Tobin C. Harding
2017-11-15 21:20 ` Linus Torvalds
2017-11-15 21:33 ` Tobin C. Harding [this message]
2017-11-15 21:31 ` Konstantin Ryabitsev
2017-11-16 1:59 ` Tobin C. Harding
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171115213313.GJ19069@eros \
--to=me@tobin.cc \
--cc=konstantin@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox