From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1758865AbdKOVdY (ORCPT <rfc822;w@1wt.eu>);
        Wed, 15 Nov 2017 16:33:24 -0500
Received: from out4-smtp.messagingengine.com ([66.111.4.28]:40927 "EHLO
        out4-smtp.messagingengine.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1753863AbdKOVdR (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 15 Nov 2017 16:33:17 -0500
X-ME-Sender: <xms:nbIMWuxF2XoOAcliaKy1qBNZ8cexi8oNtIQEEPDoyS_0s4V5LpZwvg>
Date: Thu, 16 Nov 2017 08:33:13 +1100
From: "Tobin C. Harding" <me@tobin.cc>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: LKML <linux-kernel@vger.kernel.org>,
        Konstantin Ryabitsev <konstantin@linuxfoundation.org>
Subject: Re: leaking_addresses script..
Message-ID: <20171115213313.GJ19069@eros>
References: <CA+55aFzMTSEZ3K6bX97yBGds56LTqRG4CTzqfpoWduQhsoRoNw@mail.gmail.com>
 <20171113030918.GE11398@eros>
 <CA+55aFwLdjw-usHa2XYke1ULRz_HNTLuCrMz87Ci_0=90uyAsQ@mail.gmail.com>
 <20171115211124.GH19069@eros>
 <CA+55aFy7Fw-5U_i94P65sAuNDQtAjGRtivY-s3M5JaRjro2bfg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CA+55aFy7Fw-5U_i94P65sAuNDQtAjGRtivY-s3M5JaRjro2bfg@mail.gmail.com>
X-Mailer: Mutt 1.5.24 (2015-08-30)
User-Agent: Mutt/1.5.24 (2015-08-30)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Nov 15, 2017 at 01:20:20PM -0800, Linus Torvalds wrote:
> On Wed, Nov 15, 2017 at 1:11 PM, Tobin C. Harding <me@tobin.cc> wrote:
> >
> > Linus I'm not in the web of trust, pulling a tag signed by an _unknown_
> > key is not secure is it? Would it not be better to get into the web of
> > trust first before requesting you pull any code from me.
> 
> Oh, I absolutely take signed pulls from new people who haven't gotten
> their keys with a full chain of trust to me..

Awesome, new tag signed pull request to come.

> I do it for a few different reasons:
> 
>  - the real trust is *never* in the key. People who trust
> technological measures are morons. You trust *people*, not keys. The
> technical measures are a shorthand and a help, not the basis.
> 
>  - I can just check the code
> 
>  - even if you never get your key signed by anybody else, it's still a
> sort of "identity" in the sense of me getting the pull requests from
> the same person (or key controlling group)
> 
>  - you probably *will* get your key signed by somebody else later, and
> it's all good, and that will show even in the commits before you got
> the signing done.
> 
> It's not like we require that people send emailed patches with pgp
> signing either.
> 
> So I require keys for pull requests even if I can't see the full chain
> of trust simply because of those two last issues: it's still an
> identity, and one that I expect will eventually be signed.

Thanks for taking the time it explain things to me. Please expect all
future 'process' mistakes by myself to come in multiples - I know you are
so quick on the email as soon as I notice a mistake I rush to fix it,
usually botching it again :)

Again, thanks,
Tobin.