lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <Y893UP6FIeGxWSXz@google.com>
Date:   Mon, 23 Jan 2023 22:14:40 -0800
From:   Dmitry Torokhov <dmitry.torokhov@...il.com>
To:     Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc:     Joe Wu <joewu@....corp-partner.google.com>,
        LKML <linux-kernel@...r.kernel.org>,
        Xiang wangx <wangxiang@...rlc.com>,
        Stephen Boyd <swboyd@...omium.org>,
        Prashant Malani <pmalani@...omium.org>,
        linux-input@...r.kernel.org, chrome-platform@...ts.linux.dev,
        Benson Leung <bleung@...omium.org>,
        "Gustavo A . R . Silva" <gustavoars@...nel.org>,
        Guenter Roeck <groeck@...omium.org>,
        Douglas Anderson <dianders@...omium.org>,
        Daisuke Nojiri <dnojiri@...omium.org>,
        Derek Huang <derekhuang@...gle.com>,
        "Dustin L . Howett" <dustin@...ett.net>, Joe Wu <joewu@....com>,
        Furquan Shaikh <furquan@...omium.org>,
        Jonathan Cameron <Jonathan.Cameron@...wei.com>,
        Lee Jones <lee.jones@...aro.org>,
        Tzung-Bi Shih <tzungbi@...nel.org>
Subject: Re: [PATCH] cros_ec_keyb: Add 3 buttons for monitor function

On Sat, Jan 21, 2023 at 08:26:47AM +0100, Greg Kroah-Hartman wrote:
> On Fri, Jan 20, 2023 at 09:24:18AM -0800, Dmitry Torokhov wrote:
> > On Fri, Jan 20, 2023 at 12:26:04PM +0100, Greg Kroah-Hartman wrote:
> > > On Thu, Dec 22, 2022 at 02:39:50PM +0800, Joe Wu wrote:
> > > > Add 3 extra buttons: 'brightness up', 'brightness down'
> > > > and 'screen lock' to support monitor manipulating function.
> > > > 
> > > > Signed-off-by: Joe Wu <joewu@....com>
> > > 
> > > From: line does not match the signed-off-by (and is an invalid email
> > > address...)
> > 
> > What do you mean "it's an invalid email address"? You can definitely
> > send emails there... I prefer people not to use Google partner domain
> > accounts in the hope that their employment might outlast their
> > involvement in Google projects, but that is it.
> 
> I was told that this was not a valid email address to send and receive
> emails from, and was only an email alias given to companies to interact
> with Google through their gerrit systems.  If that is incorrect, I'll
> not complain about this anymore, but someone needs to please verify this
> for me before I do so :)

Not solely for gerrit, there are other systems at Google (for example
the issue tracker) that require Google account and that is why we create
them for partners. It is however a real account that can send and
receive e-mails. Whether anyone is looking at it, especially after they
moved to other projects, is a separate topic, but it is the same with a
random gmail or whatever account that people are creating to submit a
patch or two.

> 
> But even if it is valid, should we accept it as a way to get in contact
> with the original submitter over time?

I believe that a real corp account is preferable for getting in contact
with the engineer who submitted the patch. Unfortunately corp accounts
often unsuitable for submitting patches to the kernel. Outgoing mail
servers either force HTML, mangle the text, or add legal-sounding
footers that result in snark replies. So submitters often try to use
another account to submit the code, such us a throwaway gmail account,
or as in this case, our "partner domain" account. Neither is ideal but
we require from to match sign-off (including email part) and complain
about sane option of overriding "from" in the mail body to be something
more sensitive, like the email that is actually used by the person in
question.

Again, I have more trust for patches sent as "Joe Wu
<joewu@....corp-partner.google.com>" with body

From: Joe Wu <joewu@....com>
...
Signed-off-by: Joe Wu <joewu@....com>
...

then patches sent and signed off as "Joe Wu <joemsi-oss@...il.com>"
because I actually know that there is a process for establishing and
managing that @msi.corp-partner.google.com.

> 
> > I think if we ask people to stick "From: <whatever the company address
> > is" in the body of the patch we can ignore the difference between sender
> > address and from/signed-off-by when they use partner domain accounts. If
> > anything, such accounts have better vetting than a random gmail or other
> > free email service account some vendors have to create to be able to
> > send a plain-text emails that we require. I mean, we have
> > "Signed-off-by: George Spelvin <lkml@....org>" present in our git
> > history and nobody bats an eye...
> 
> Oh lots of people "batted an eye" about that one, I've had too many
> meetings with lawyers about that, which is one reason I now verify email
> addresses like I did here.

Would you attempt to verify it is you saw a sign-off from "Daniil Kharms
<dank@...il.com>"? What is the trigger for verification? How rigorous is
it?

Thanks.

-- 
Dmitry

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ