lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20111001225208.GA2969@thunk.org>
Date:	Sat, 1 Oct 2011 18:52:08 -0400
From:	Ted Ts'o <tytso@....edu>
To:	Randy Dunlap <rdunlap@...otime.net>
Cc:	"H. Peter Anvin" <hpa@...or.com>,
	"Rafael J. Wysocki" <rjw@...k.pl>,
	Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
	Greg KH <gregkh@...e.de>,
	Linus Torvalds <torvalds@...ux-foundation.org>
Subject: Re: kernel.org status: establishing a PGP web of trust

On Sat, Oct 01, 2011 at 03:36:58PM -0700, Randy Dunlap wrote:
> 
> Who needs these privacy keys?  Is it just (git) users of kernel.org?
> 
> so people who send patches via email do not need to do this process?
> or are we headed into sign-all-patches territory soonish?

There is going to be discussion about security procedures at the
kernel summit; to date we've been focused on the short-term
requirements to get git.kernel.org back up so that the next merge
window can open up, hopefully without getting instantly compromised
again.  That's going to require the help of everyone that we trust,
especially from folks who are maintaining git repositories.

I personally don't think we're headed into sign-all-patches, since
patches still need to be reviewed, and at some level, as long as the
patch is reviewed to be Good Stuff, that's actually the most important
thing.

That being said, if you have a GPG key, and you can participate in a
key signing exercise so that you are part of the web of trust, that
also means that you have a much better ability to trust that git trees
that you pull down to your system that have signed tags are in fact
legitimate (at least up to a signed tag).

So there are good reasons why developers who primarily participate by
e-mailing patches might want to start using GPG.

						- Ted
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ