lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20200313093548.GA2089143@kroah.com>
Date:   Fri, 13 Mar 2020 10:35:48 +0100
From:   Greg KH <greg@...ah.com>
To:     Jani Nikula <jani.nikula@...el.com>
Cc:     "Theodore Y. Ts'o" <tytso@....edu>,
        "Bird, Tim" <Tim.Bird@...y.com>,
        "ksummit-discuss@...ts.linuxfoundation.org" 
        <ksummit-discuss@...ts.linuxfoundation.org>,
        "tech-board-discuss@...ts.linuxfoundation.org" 
        <tech-board-discuss@...ts.linuxfoundation.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [Tech-board-discuss] [Ksummit-discuss] Linux Foundation
 Technical Advisory Board Elections -- Change to charter

On Fri, Mar 13, 2020 at 10:58:00AM +0200, Jani Nikula wrote:
> On Thu, 12 Mar 2020, "Theodore Y. Ts'o" <tytso@....edu> wrote:
> > So that means we need to be smart about how we pick the criteria.
> > Using a kernel.org account might be a good approach, since it would be
> > a lot harder for a huge number of sock puppet accounts to meet that
> > criteria.
> 
> Per [1] and [2], kernel.org accounts "are usually reserved for subsystem
> maintainers or high-profile developers", but apparently it's at the
> kernel.org admins discretion to decide whether one is ultimately
> eligible or not. Do we want the kernel.org admin to have the final say
> on who gets to vote? Do we want to encourage people to have kernel.org
> accounts for no other reason than to vote?

We are using the "kernel.org account" as a way to verify that you really
are part of our developer/maintainer community and that you are part of
the "web of trust" and an actual person.

That is the goal here, if you know of some other way to determine this,
please let us know.  We went through many iterations of this and at the
moment, it is the best we can come up with.

Also, note that the "kernel.org admin" is really a team of people who
have been doing this for 9 years, it's not a single person responsible
for giving out new accounts to people that do not meet the obvious
requirement levels as published on kernel.org

> Furthermore, having a kernel.org account imposes the additional
> requirement that you're part of the kernel developers web of trust,

That is exactly what we want.

> i.e. that you've met other kernel developers in person. Which is a kind
> of awkward requirement for enabling electronic voting to be inclusive to
> people who can't attend in person.

Yes, we know that, but it does mean that you are "known" to someone
else, which is the key here.

> Seems like having a kernel.org account is just a proxy for the criteria,
> and one that also lacks transparency, and has problems of its own.

What is not transparent about how to get a kernel.org account?

> Not that I'm saying there's an easy solution, but obviously kernel.org
> account is not as problem free as you might think.

We are not saying it is "problem free", but what really is the problem
with it?

thanks,

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ