lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 24 Jan 2024 00:36:34 -0500
From: "Theodore Ts'o" <tytso@....edu>
To: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: Alexander Gordeev <agordeev@...ux.ibm.com>, G@....edu,
        James Bottomley <James.Bottomley@...senpartnership.com>,
        Andrew Morton <akpm@...ux-foundation.org>,
        linux-scsi <linux-scsi@...r.kernel.org>,
        linux-kernel <linux-kernel@...r.kernel.org>
Subject: Re: [GIT PULL] final round of SCSI updates for the 6.7+ merge window

On Sun, Jan 21, 2024 at 10:48:35AM -0800, Linus Torvalds wrote:
> On Sat, 20 Jan 2024 at 22:30, Theodore Ts'o <tytso@....edu> wrote:
> >
> > Linus, you haven't been complaining about my key, which hopefully
> > means that I'm not causing you headaches
> 
> Well, honestly, while I pointed out that if everybody was expiring
> keys, I'd have this headache once or twice a week, the reality is that
> pretty much nobody is. There's James, you, and a handful of others.
> 
> So in practice, I hit this every couple of months, not weekly. And if
> I can pick up updates from the usual sources, it's all fine. James'
> setup just doesn't match anybody elses, so it's grating.

If we told those people who wantg to pursue key rotation to just
always upload keys to the Kernel keyring, using the instructions
here[1], and at the beginning of each merge window, you updated your
local clone of the kernel keyring git repo[2], and then ran the
scripts/korg-refresh-keys, the headache to you would be limited to
running "cd ~/git/korg-pgpkeys ; git pull ;
/scripts/korg-refresh-keys" every 2 or 3 months.  The work you'd have
to do would be a fixed amount of work, even if more people were using
PGP key rotation.

[1] https://korg.docs.kernel.org/pgpkeys.html
[2] https://git.kernel.org/pub/scm/docs/kernel/pgpkeys.git

Would that be an acceptable (hopefully minimal!) amount of annoyance
for you?

					- Ted

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ