lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 14 Oct 2011 09:21:00 -0600
From:	Greg KH <greg@...ah.com>
To:	linux-kernel@...r.kernel.org
Subject: Answers to some common kernel.org account questions

We (the kernel.org team) have noticed a fair amount of confusion about
the procedure for the reinstatement of kernel.org accounts.  In an
attempt to clarify the situation, we have put together the following FAQ
file.

WHAT ARE WE DOING AT THIS TIME?

The first priority for kernel.org is to get the git trees back on line
so that subsystem maintainers can publish their patch streams and get
them into the mainline.  Other functionalities, such as email and file
uploads, will be restored later, as time allows.

WHO IS ELIGIBLE FOR A KERNEL.ORG ACCOUNT?

At this time, we are only providing access to developers who previously
hosted git repositories on kernel.org, and whose repositories have shown
activity after February, 2011.  At a later time we will be able to
consider creating accounts for developers with inactive trees or who
have not had a kernel.org account in the past.

DO I NEED A KERNEL.ORG ACCOUNT?

Possession of a kernel.org account is *not* necessary for contributors
to the Linux kernel.  As always, changes can be contributed through
trees hosted elsewhere, by direct posting of patches to a relevant
mailing list, or through a subsystem maintainer's tree.

WHY DO I NEED A PGP KEY?

A properly-signed PGP key is required to obtain access to kernel.org.
The purpose of this key is not to replace the trust that we have built
in each other over years of collaborative work; it is, instead, a way of
safely passing credentials in a world where the community has simply
grown too large for us all to know each other.

WHAT IS A PROPERLY-SIGNED KEY?

Anybody can create a PGP key in anybody's name.  To avoid forgery of
keys, we require that keys used for access to kernel.org be a part of
the kernel's ring of trust.  Joining the ring of trust is done by having
your key signed by other, well-known developer keys.  So we encourage
you to obtain as many signatures as you can reasonably obtain on your
key from fellow kernel developers at upcoming conferences or developer
meetups.

Specific geographically-isolated developers who are unable to obtain the
requisite signatures will be considered for access on a case-by-case
basis.

WHAT ABOUT FILE UPLOADS?

The "robot signing" of uploaded files that was used in the past is no
longer considered to be sufficiently secure, so a new policy has been
instituted.  A new tool ("kup") has been developed to help with the
implementation of that policy; it works in a manner similar to the
upload system used by the Debian project.

The kup tool will require developers to sign files with their PGP key
prior to uploading to kernel.org.  This mechanism will keep the private
signing keys from ever being stored on kernel.org (or any other server).
More information will be made available once the file upload capability
is restored.


Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ