lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20111006080425.GB25753@localhost.pp.htv.fi>
Date:	Thu, 6 Oct 2011 11:04:26 +0300
From:	Adrian Bunk <bunk@...sta.de>
To:	Thomas Gleixner <tglx@...utronix.de>
Cc:	Ted Ts'o <tytso@....edu>, "Frank Ch. Eigler" <fche@...hat.com>,
	Valdis.Kletnieks@...edu, "H. Peter Anvin" <hpa@...or.com>,
	"Rafael J. Wysocki" <rjw@...k.pl>,
	Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
	Greg KH <gregkh@...e.de>
Subject: Re: kernel.org status: establishing a PGP web of trust

On Thu, Oct 06, 2011 at 01:57:24AM +0200, Thomas Gleixner wrote:
> On Wed, 5 Oct 2011, Adrian Bunk wrote:
>...
> > Let me paraphrase my question:
> > "Whose signatures do I need on my key so that it will be accepted
> >  at kernel.org?"
>
> Your understanding of key signing seems to be that some technical
> measure which makes the key valid is enough to enter a web of trust.
>
> Webs of trust cannot be built nor entered by any technical means.
>
> A web of trust is built by personal relationships and the key signing
> is just a technical measure to express that.
>
> I really do not care about your ID card, because it's a fact that
> people got keys signed by showing fake IDs.
>
> > With that information I can check if one email to a few local people to 
> > have a local keysigning is enough.
> 
> Whatfor? To regain your k.org account? Can you provide a single
> reason why that should happen?
> 
> I can't think of one. You vanished away with a big bang and now you
> come back out of the blue and assume that you're a trusted person just
> by slapping a few signs on your key?

I would say I vanished silently after several big bangs with you and 
other people and some other incidents, but that's not really relevant.

My main reason for regaining my kernel.org account is that I heavily 
used my bunk@...nel.org address for kernel development (just check the 
kernel history), and I was still getting emails to that.

Assuming the @kernel.org addresses will not vanish, I need accepted 
credential for accessing that address.

> > Or if I have to bother Linus to meet me and sign my key the next
> > time he is here in Helsinki.
> 
> And how would that change the fact that your personal trust value in
> this community is exactly ZERO?

Your trust in me is exactly zero, and that wouldn't change if you'd sign 
my key.

And for some other people in this community the same is surely also true.

Now I can laugh about the incident when a member of the program commitee 
(sic) of a kernel summit sent me an angry "Why didn't you take your seat?"
email - it turned out I was not invited.

I don't know anything about the behind-the-scenes politics of kernel 
development, but I got the message that some people want to avoid my
physical presence, and will not impose that on anyone who does not
want to meet me. [1]

> As your idea of trust seems to be based on an ID card you better find
> some other place with people who are stupid enough to believe that
> technical measures can replace deep personal trust.

We are talking about the technical requirements for regaining an 
account I was trusted to have before.

If anyone accepts patches from me, or if Linus will ever again pull git 
trees from me, are questions completely unrelated to whether you or he 
or anyone else signs my key.

> Thanks,
> 
> 	tglx

cu
Adrian

[1] And my "have to bother Linus to meet me" was intended as asking him
    if it would be possible, I wouldn't do stalking if he'd refuse.

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ