lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAHk-=wj3tK4ync2S2eBQagOYv06wU+e7jgmnWHk5ZQBbk0E2WA@mail.gmail.com>
Date: Thu, 25 Jan 2024 09:56:49 -0800
From: Linus Torvalds <torvalds@...ux-foundation.org>
To: "Theodore Ts'o" <tytso@....edu>
Cc: Alexander Gordeev <agordeev@...ux.ibm.com>, G@....edu, 
	James Bottomley <James.Bottomley@...senpartnership.com>, 
	Andrew Morton <akpm@...ux-foundation.org>, linux-scsi <linux-scsi@...r.kernel.org>, 
	linux-kernel <linux-kernel@...r.kernel.org>
Subject: Re: [GIT PULL] final round of SCSI updates for the 6.7+ merge window

On Tue, 23 Jan 2024 at 21:36, Theodore Ts'o <tytso@....edu> wrote:
>
> If we told those people who wantg to pursue key rotation to just
> always upload keys to the Kernel keyring [..]

As long as the keys exist in the kernel.org keyring, it's all good.

That said, I still claim that nobody has *ever* had a valid and
meaningful reason to have expiry dates, so I want to stop you right
there when you talk about "people who want to pursue key rotation".

The absolute *first* thing you should tell those people is "Why? Don't
bother, it's just added pain for no gain".

It's like revocation keys. To a very close approximation, never in the
history of the universe have they been useful and meaningful.

The fact that the keyservers don't even work any more have made them
even less so, since now the revocations will never really spread
anyway.

So no. Let's not encourage people to do this silly thing.

If you ABSOLUTELY HAVE TO have expiration dates and other silly games,
yes, I will complain if I can't then easily get your key from the
single reliably working remaining setup.

But if you cannot explain exactly why you absolutely need to do it and
have some external entity that forces you to do silly things ("Your
daughter has been kidnapped, and you're not Liam Neeson"), the answer
should not be "remember to update the key at kernel.org", but simply a
plain "DON'T".

               Linus

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ