From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1758174AbdKPCAF (ORCPT ); Wed, 15 Nov 2017 21:00:05 -0500 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:47513 "EHLO out4-smtp.messagingengine.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756123AbdKPB76 (ORCPT ); Wed, 15 Nov 2017 20:59:58 -0500 X-ME-Sender: Date: Thu, 16 Nov 2017 12:59:54 +1100 From: "Tobin C. Harding" To: Konstantin Ryabitsev Cc: Linus Torvalds , LKML Subject: Re: leaking_addresses script.. Message-ID: <20171116015954.GC32637@eros> References: <20171113030918.GE11398@eros> <20171115211124.GH19069@eros> <20171115213156.pw4v4nvrw4whi3nq@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20171115213156.pw4v4nvrw4whi3nq@gmail.com> X-Mailer: Mutt 1.5.24 (2015-08-30) User-Agent: Mutt/1.5.24 (2015-08-30) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Nov 15, 2017 at 04:31:56PM -0500, Konstantin Ryabitsev wrote: > On Thu, Nov 16, 2017 at 08:11:24AM +1100, Tobin C. Harding wrote: > >On Tue, Nov 14, 2017 at 02:45:59PM -0800, Linus Torvalds wrote: > >>On Tue, Nov 14, 2017 at 1:03 PM, Tobin C. Harding wrote: > >>> > >>> I did not sign the tag, it looks like you have not processed this yet. > >>> Do you want me to re-do the pull request on a signed tag? > >> > >>When pulling from github? Absolutely. > > > >Linus I'm not in the web of trust, pulling a tag signed by an _unknown_ > >key is not secure is it? Would it not be better to get into the web of > >trust first before requesting you pull any code from me. > > Many kernel developers use "Trust on First Use" (TOFU) approach, which is > not unreasonable -- it's what ssh has been using for the past couple of > decades. In the end, the goal of tag signing is not to verify your > *identity* but to verify that Tobin C. Harding from today is the same Tobin > C. Harding whose code was reviewed and merged 3 months ago. Cool. > >Also, once I get in the web of trust I can apply to get my tree hosted > >on git.kernel.org so you don't have to pull from GitHub. > > We have different rules for issuing actual accounts at kernel.org. We *do* > rely on the web of trust, since I personally have no way of verifying who is > a real developer and who isn't. Even then, I don't really care about your > identity as much as I need to have assurances from other members of > kernel.org that they have worked with you previously and they can vouch that > you are their fellow kernel developer. I'll sort it out and get back to you. thanks, Tobin.