From: "Tobin C. Harding" <me@tobin.cc>
To: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: leaking_addresses script..
Date: Thu, 16 Nov 2017 12:59:54 +1100 [thread overview]
Message-ID: <20171116015954.GC32637@eros> (raw)
In-Reply-To: <20171115213156.pw4v4nvrw4whi3nq@gmail.com>
On Wed, Nov 15, 2017 at 04:31:56PM -0500, Konstantin Ryabitsev wrote:
> On Thu, Nov 16, 2017 at 08:11:24AM +1100, Tobin C. Harding wrote:
> >On Tue, Nov 14, 2017 at 02:45:59PM -0800, Linus Torvalds wrote:
> >>On Tue, Nov 14, 2017 at 1:03 PM, Tobin C. Harding <me@tobin.cc> wrote:
> >>>
> >>> I did not sign the tag, it looks like you have not processed this yet.
> >>> Do you want me to re-do the pull request on a signed tag?
> >>
> >>When pulling from github? Absolutely.
> >
> >Linus I'm not in the web of trust, pulling a tag signed by an _unknown_
> >key is not secure is it? Would it not be better to get into the web of
> >trust first before requesting you pull any code from me.
>
> Many kernel developers use "Trust on First Use" (TOFU) approach, which is
> not unreasonable -- it's what ssh has been using for the past couple of
> decades. In the end, the goal of tag signing is not to verify your
> *identity* but to verify that Tobin C. Harding from today is the same Tobin
> C. Harding whose code was reviewed and merged 3 months ago.
Cool.
> >Also, once I get in the web of trust I can apply to get my tree hosted
> >on git.kernel.org so you don't have to pull from GitHub.
>
> We have different rules for issuing actual accounts at kernel.org. We *do*
> rely on the web of trust, since I personally have no way of verifying who is
> a real developer and who isn't. Even then, I don't really care about your
> identity as much as I need to have assurances from other members of
> kernel.org that they have worked with you previously and they can vouch that
> you are their fellow kernel developer.
I'll sort it out and get back to you.
thanks,
Tobin.
prev parent reply other threads:[~2017-11-16 2:00 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CA+55aFzMTSEZ3K6bX97yBGds56LTqRG4CTzqfpoWduQhsoRoNw@mail.gmail.com>
[not found] ` <20171113030918.GE11398@eros>
[not found] ` <CA+55aFwLdjw-usHa2XYke1ULRz_HNTLuCrMz87Ci_0=90uyAsQ@mail.gmail.com>
2017-11-15 21:11 ` leaking_addresses script Tobin C. Harding
2017-11-15 21:20 ` Linus Torvalds
2017-11-15 21:33 ` Tobin C. Harding
2017-11-15 21:31 ` Konstantin Ryabitsev
2017-11-16 1:59 ` Tobin C. Harding [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171116015954.GC32637@eros \
--to=me@tobin.cc \
--cc=konstantin@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox