| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 15 Nov 2017 13:20:20 -0800
From: Linus Torvalds <torvalds@...ux-foundation.org>
To: "Tobin C. Harding" <me@...in.cc>
Cc: LKML <linux-kernel@...r.kernel.org>,
Konstantin Ryabitsev <konstantin@...uxfoundation.org>
Subject: Re: leaking_addresses script..
On Wed, Nov 15, 2017 at 1:11 PM, Tobin C. Harding <me@...in.cc> wrote:
>
> Linus I'm not in the web of trust, pulling a tag signed by an _unknown_
> key is not secure is it? Would it not be better to get into the web of
> trust first before requesting you pull any code from me.
Oh, I absolutely take signed pulls from new people who haven't gotten
their keys with a full chain of trust to me..
I do it for a few different reasons:
- the real trust is *never* in the key. People who trust
technological measures are morons. You trust *people*, not keys. The
technical measures are a shorthand and a help, not the basis.
- I can just check the code
- even if you never get your key signed by anybody else, it's still a
sort of "identity" in the sense of me getting the pull requests from
the same person (or key controlling group)
- you probably *will* get your key signed by somebody else later, and
it's all good, and that will show even in the commits before you got
the signing done.
It's not like we require that people send emailed patches with pgp
signing either.
So I require keys for pull requests even if I can't see the full chain
of trust simply because of those two last issues: it's still an
identity, and one that I expect will eventually be signed.
Linus
Powered by blists - more mailing lists