lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 16 Nov 2017 08:33:13 +1100 From: "Tobin C. Harding" <me@...in.cc> To: Linus Torvalds <torvalds@...ux-foundation.org> Cc: LKML <linux-kernel@...r.kernel.org>, Konstantin Ryabitsev <konstantin@...uxfoundation.org> Subject: Re: leaking_addresses script.. On Wed, Nov 15, 2017 at 01:20:20PM -0800, Linus Torvalds wrote: > On Wed, Nov 15, 2017 at 1:11 PM, Tobin C. Harding <me@...in.cc> wrote: > > > > Linus I'm not in the web of trust, pulling a tag signed by an _unknown_ > > key is not secure is it? Would it not be better to get into the web of > > trust first before requesting you pull any code from me. > > Oh, I absolutely take signed pulls from new people who haven't gotten > their keys with a full chain of trust to me.. Awesome, new tag signed pull request to come. > I do it for a few different reasons: > > - the real trust is *never* in the key. People who trust > technological measures are morons. You trust *people*, not keys. The > technical measures are a shorthand and a help, not the basis. > > - I can just check the code > > - even if you never get your key signed by anybody else, it's still a > sort of "identity" in the sense of me getting the pull requests from > the same person (or key controlling group) > > - you probably *will* get your key signed by somebody else later, and > it's all good, and that will show even in the commits before you got > the signing done. > > It's not like we require that people send emailed patches with pgp > signing either. > > So I require keys for pull requests even if I can't see the full chain > of trust simply because of those two last issues: it's still an > identity, and one that I expect will eventually be signed. Thanks for taking the time it explain things to me. Please expect all future 'process' mistakes by myself to come in multiples - I know you are so quick on the email as soon as I notice a mistake I rush to fix it, usually botching it again :) Again, thanks, Tobin.
Powered by blists - more mailing lists