lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <87k1yrufwj.fsf@concordia.ellerman.id.au>
Date:   Thu, 16 Nov 2017 13:16:28 +1100
From:   Michael Ellerman <mpe@...erman.id.au>
To:     "Tobin C. Harding" <me@...in.cc>,
        Linus Torvalds <torvalds@...ux-foundation.org>
Cc:     LKML <linux-kernel@...r.kernel.org>,
        "Paul E. McKenney" <paulmck@...ux.vnet.ibm.com>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        Steven Rostedt <rostedt@...dmis.org>
Subject: Re: [GIT PULL 2nd resend] leaking_addresses updates for 4.15

"Tobin C. Harding" <me@...in.cc> writes:

> Clearly I am unable to use email.
>
> Adding to CC: Greg, Steve, Paul - kernel developers CC'd on leaking
> addresses stuff that may know my face.
>
> Adding to CC: Michael - closest kernel developer by proximity that I
> have had direct correspondence with.
>
> Adding to CC: Konstantin - previous correspondence re kernel.org tree hosting. 
>
> On Tue, Nov 14, 2017 at 02:45:59PM -0800, Linus Torvalds wrote:
>> On Tue, Nov 14, 2017 at 1:03 PM, Tobin C. Harding <me@...in.cc> wrote:
>> >
>> > I did not sign the tag, it looks like you have not processed this yet.
>> > Do you want me to re-do the pull request on a signed tag?
>> 
>> When pulling from github? Absolutely.
>
> Linus I'm not in the web of trust, pulling a tag signed by an _unknown_
> key is not secure is it? Would it not be better to get into the web of
> trust first before requesting you pull any code from me.

Linus will probably respond, but in short it's good to be in the web of
trust, but until you are it's still worth signing your tags.

When you do get some signatures on your key, then we'll be able to see
that all your existing pull requests were really from you.

At the end of the day what matters is that you send good code over a
period of time - and whether the Australian Government agrees that your
name is "Tobin Harding" is somewhat orthogonal to that.

> Web of trust presents a social problem that I am not versed in. With my
> limited knowledge I can present the following solutions.
>
> 1. Get my key signed at linux.conf.au in January in Sydney.

Sounds good, maybe we should have a 15 minute key signing slot at the
kernel miniconf.

> 2. Request a video call with _some_ number of kernel developers to sign
>    key (suggested by Konstantin).
> 3. Drive to Canberra and meet face to face with Michael to sign key
>    (if he would agree to that).

Yeah if you want to that's no problem, just give me some notice :)

cheers

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ