lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:   Thu, 16 Nov 2017 08:11:24 +1100
From:   "Tobin C. Harding" <me@...in.cc>
To:     Linus Torvalds <torvalds@...ux-foundation.org>
Cc:     LKML <linux-kernel@...r.kernel.org>,
        Konstantin Ryabitsev <konstantin@...uxfoundation.org>
Subject: Re: leaking_addresses script..

Re-send with the _actual_ CC's

Adding to CC: Greg, Steve, Paul - kernel developers CC'd on leaking
addresses stuff that may know my face.

Adding to CC: Michael - closest kernel developer by proximity that I
have had direct correspondence with.

Adding to CC: Konstantin - previous correspondence re kernel.org tree hosting. 

On Tue, Nov 14, 2017 at 02:45:59PM -0800, Linus Torvalds wrote:
> On Tue, Nov 14, 2017 at 1:03 PM, Tobin C. Harding <me@...in.cc> wrote:
> >
> > I did not sign the tag, it looks like you have not processed this yet.
> > Do you want me to re-do the pull request on a signed tag?
> 
> When pulling from github? Absolutely.

Linus I'm not in the web of trust, pulling a tag signed by an _unknown_
key is not secure is it? Would it not be better to get into the web of
trust first before requesting you pull any code from me.

Web of trust presents a social problem that I am not versed in. With my
limited knowledge I can present the following solutions.

1. Get my key signed at linux.conf.au in January in Sydney.
2. Request a video call with _some_ number of kernel developers to sign
   key (suggested by Konstantin).
3. Drive to Canberra and meet face to face with Michael to sign key
   (if he would agree to that).

I'm guessing I've missed the boat for this merge window so the option
that imposes the least on other developers time is option 1, get my key
signed by a bunch of kernel developers at LCA.

Also, once I get in the web of trust I can apply to get my tree hosted
on git.kernel.org so you don't have to pull from GitHub.

Please advise when, and if, you have time.

thanks,
Tobin.

Powered by blists - more mailing lists