| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 13 Mar 2020 10:59:03 -0400
From: Konstantin Ryabitsev <konstantin@...uxfoundation.org>
To: Jani Nikula <jani.nikula@...el.com>
Cc: Greg KH <greg@...ah.com>, "Bird, Tim" <Tim.Bird@...y.com>,
"tech-board-discuss@...ts.linuxfoundation.org"
<tech-board-discuss@...ts.linuxfoundation.org>,
"ksummit-discuss@...ts.linuxfoundation.org"
<ksummit-discuss@...ts.linuxfoundation.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [Ksummit-discuss] [Tech-board-discuss] Linux Foundation
Technical Advisory Board Elections -- Change to charter
On Fri, Mar 13, 2020 at 12:30:20PM +0200, Jani Nikula wrote:
> There is no way of knowing whether you're eligible to vote until you
> apply for a kernel.org account and either get approved or rejected.
>
> The current "obvious" requirement levels are not obvious to me. How many
> contributions is enough? Is everyone in MAINTAINERS eligible, or do you
> have to be a high-profile maintainer/developer? What is a high-profile
> developer? How many people in the web of trust must you have met in
> person?
Anyone listed in MAINTAINERS is eligible to get an auto-approved account
on kernel.org, but they *must* satisfy the web of trust requirement:
- their key is signed by 2 other people who already have a kernel.org
account (marginal trust), OR
- their key is signed by one of the following people (full trust):
- H. Peter Anvin
- Greg Kroah-Hartman
- Ted Ts'o
- Linus Torvalds
- Dirk Hohndel
- James Bottomley
Anyone who is not in MAINTAINERS but feel they should have an account on
kernel.org can still apply if they provide a reason behind their
request. Such cases are fairly rare and usually include collaboration on
non-kernel projects that are also hosted on kernel.org (there aren't
that many, but there are a few). The web of trust requirement is exactly
the same, but the final approval is not automatic. I forward these
requests to the above 6 people and it is sufficient for at least one
person to say "aye" for the account to be approved.
It is also important to highlight a distinction between "having an
account" and having a kernel.org email forwarding address. For this
particular case I was requested to provide a list of people with *active
accounts* on kernel.org, meaning that they have performed a git+ssh
operation within the past 12 months.
> And it actually seems like you think it's a good thing the admin team
> can make a subjective decision on the above.
The LF IT admin team does not make any decisions -- all decisions are
taken by the above 6 people (unless the person is in MAINTAINERS, in
which case their approval is implicit).
> It may seem completely transparent and fair and objective on the
> *inside*, but it does not look that way on the *outside*. Which is kind
> of the definition of transparent. Or lack of.
I hope I helped clarify the procedure. Of course, as the person actually
creating accounts I'm the final arbiter of all decisions. If I had any
malicious intents, I could totally subvert the whole process -- so in
the end you just have to trust me to be on the side of "lawful good."
-K
Download attachment "signature.asc" of type "application/pgp-signature" (229 bytes)
Powered by blists - more mailing lists