Received: by 2002:a05:7412:ba23:b0:fa:4c10:6cad with SMTP id jp35csp2112733rdb; Sun, 21 Jan 2024 07:58:47 -0800 (PST) X-Google-Smtp-Source: AGHT+IHGGm0gEZUbJrAzR4VJpcQ6rwiXHu91x/1kwt4Dg2zUAgmL/2R+wneCAzbCvpnsXzp0ErY2 X-Received: by 2002:a05:6a20:6384:b0:199:7e15:69d8 with SMTP id m4-20020a056a20638400b001997e1569d8mr4088847pzg.62.1705852727267; Sun, 21 Jan 2024 07:58:47 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1705852727; cv=pass; d=google.com; s=arc-20160816; b=BZuUSTr1i1IOsQ9s/WiWtYzNxxESQhXiskYewDfDVqxGdfHubc9AwjysriHy7VUCtN wB/mAqokayJG8eg0/Ovpaz/KF5fND9LR/cityg+/v2oOhSLJZ55VzMHYKirBLDvfxY/m gJmpiOC4qLuAHal+jE5s9KU3gRVGVass9IYsfkub+jTOk06HJX1VKrbBZLWBubFys8e4 H62eBITTAHl1vSMtvkgCrOra9otZr6UgASbqVRkgh4P94506+603KhOCxmjeIm467oA+ Tgt4m8ghEDCcWmjt7PRPKeHn+lN9NfoOC0tMuyj5MPkkNYFcZUZrRgq+JbuCqZeqnEWQ we7A== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:user-agent:references:in-reply-to :date:cc:to:from:subject:message-id:dkim-signature:dkim-signature; bh=dZMRmwjMDC564RPnNLG9usZej2bXBbIt9W6YBhCVNYU=; fh=uihp0oyiu6AdqQjCraBu6a85ajBzlvfP6wZNyjSaf08=; b=HfsJg4X7DAM8p2grc6K1NXGppqYtF9tJSuQaFiqPe+W1iwAS8bQtstUn4cP3rloDbh ddGTJqB3s/JjnwE2VDohW0yDQ9hqvB5BFK4T65kAMfbqb/p2pAeNhRx83Tlb86+i5YZ4 pjTU0t7BSzgNVpnfDi14hzKG+7vnsiK3edcfVTWv5jLBG82QKlkW8HddS4HIzriT63YC u3c06x6+pCRHOnLzAT573njRrZm0QtsoTFsCe9sk6TDNJfThLk9QgtMuhNmV6Jg0n8gv AM7eidmkaiNi2kgEAVLdQ3/K26v++j8otrhAfGPWANYN9Gvy1wZKafejooK+RSOvkTby e7zw== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b=gxF88Mqi; dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b=gxF88Mqi; arc=pass (i=1 spf=pass spfdomain=hansenpartnership.com dkim=pass dkdomain=hansenpartnership.com dkim=pass dkdomain=hansenpartnership.com dmarc=pass fromdomain=hansenpartnership.com); spf=pass (google.com: domain of linux-kernel+bounces-32106-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-32106-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id k36-20020a635624000000b005cde41fb132si6787781pgb.625.2024.01.21.07.58.47 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 21 Jan 2024 07:58:47 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-32106-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b=gxF88Mqi; dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b=gxF88Mqi; arc=pass (i=1 spf=pass spfdomain=hansenpartnership.com dkim=pass dkdomain=hansenpartnership.com dkim=pass dkdomain=hansenpartnership.com dmarc=pass fromdomain=hansenpartnership.com); spf=pass (google.com: domain of linux-kernel+bounces-32106-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-32106-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id E3C7E281F61 for ; Sun, 21 Jan 2024 15:58:46 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 5C50237707; Sun, 21 Jan 2024 15:58:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=hansenpartnership.com header.i=@hansenpartnership.com header.b="gxF88Mqi"; dkim=pass (1024-bit key) header.d=hansenpartnership.com header.i=@hansenpartnership.com header.b="gxF88Mqi" Received: from bedivere.hansenpartnership.com (bedivere.hansenpartnership.com [96.44.175.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CC8FE364A4; Sun, 21 Jan 2024 15:58:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=96.44.175.130 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1705852717; cv=none; b=uTyhV8mxVxzdOyQZYmKQesgXI1AqLeuNiXvVmJaxq5gtZQHX5A8QVzF3NoskhReUHCwRhVkxTpcJoiQWi0tXVhAQ7Whm3wTHtBIhUDHW1FtWSxW0PoroOafZRfqg/uTnNFp3oHF348Q75fV3zimtuNk4RBSMj0K41cOjO2aFPTw= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1705852717; c=relaxed/simple; bh=vZKUTi/pGvf34rerdB8LD1X0SEf4pI83URewsECcsQ8=; h=Message-ID:Subject:From:To:Cc:Date:In-Reply-To:References: Content-Type:MIME-Version; b=fxEW0DAhwGYTUbO1qsiNLCWdLeycI2pfFm6Kd2KQNNuMi7Noth0domQDotmQ2DFCwdtWAekozVva0U2E4xQQIJW2f9rEmgNq4DI8Gowy/Qezg/kJtjIgedteO7ze0qSSfDO4pefHrtF45sP+a+Kb4leYvWQd7EF1IQ0Vd61RIzU= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=HansenPartnership.com; spf=pass smtp.mailfrom=HansenPartnership.com; dkim=pass (1024-bit key) header.d=hansenpartnership.com header.i=@hansenpartnership.com header.b=gxF88Mqi; dkim=pass (1024-bit key) header.d=hansenpartnership.com header.i=@hansenpartnership.com header.b=gxF88Mqi; arc=none smtp.client-ip=96.44.175.130 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=HansenPartnership.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=HansenPartnership.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=hansenpartnership.com; s=20151216; t=1705852714; bh=vZKUTi/pGvf34rerdB8LD1X0SEf4pI83URewsECcsQ8=; h=Message-ID:Subject:From:To:Date:In-Reply-To:References:From; b=gxF88MqiU/GafvH4sDGJEarDrnZWJRlter/VpO/KynZEw+/RglAO+/PhZTV5oWZAI nclI0TW5nsBHZTZfcVh9Td6c75Y+zCR9854fr/PDMkxJfW/jzldVm6qFMcD2DYgPwP cvdXuGK5fL+CSwWdV6B1rKougVtBELCm35tC8g5c= Received: from localhost (localhost [127.0.0.1]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id E7E3612810AE; Sun, 21 Jan 2024 10:58:34 -0500 (EST) Received: from bedivere.hansenpartnership.com ([127.0.0.1]) by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavis, port 10024) with ESMTP id 6anIjXJcDn9K; Sun, 21 Jan 2024 10:58:34 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=hansenpartnership.com; s=20151216; t=1705852714; bh=vZKUTi/pGvf34rerdB8LD1X0SEf4pI83URewsECcsQ8=; h=Message-ID:Subject:From:To:Date:In-Reply-To:References:From; b=gxF88MqiU/GafvH4sDGJEarDrnZWJRlter/VpO/KynZEw+/RglAO+/PhZTV5oWZAI nclI0TW5nsBHZTZfcVh9Td6c75Y+zCR9854fr/PDMkxJfW/jzldVm6qFMcD2DYgPwP cvdXuGK5fL+CSwWdV6B1rKougVtBELCm35tC8g5c= Received: from lingrow.int.hansenpartnership.com (unknown [IPv6:2601:5c4:4302:c21::a774]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (prime256v1) server-signature RSA-PSS (2048 bits)) (Client did not present a certificate) by bedivere.hansenpartnership.com (Postfix) with ESMTPSA id 1D9A31280FA8; Sun, 21 Jan 2024 10:58:34 -0500 (EST) Message-ID: <83d6dca5fec8b2b31e548d56cdf196e39549d9ca.camel@HansenPartnership.com> Subject: Re: [GIT PULL] final round of SCSI updates for the 6.7+ merge window From: James Bottomley To: Theodore Ts'o , Linus Torvalds , G@mit.edu Cc: Andrew Morton , linux-scsi , linux-kernel Date: Sun, 21 Jan 2024 10:58:32 -0500 In-Reply-To: <20240121063038.GA1452899@mit.edu> References: <7b104abd42691c3e3720ca6667f5e52d75ab6a92.camel@HansenPartnership.com> <20240121063038.GA1452899@mit.edu> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.42.4 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit On Sun, 2024-01-21 at 01:30 -0500, Theodore Ts'o wrote: > Unlike James, I've tried to use DANE, since about the only thing that ^ never? > has as disastrous a user experience as gpg is DNSSEC.  :-) I just > manually upload keys to the kernel and Debian keyrings, and it's been > working out, apparently without much pain for either me or to those > who rely on my keys --- at least, no one as complained to me so > far.... Well the theory is sound: if the DNS is secure and trustworthy, getting the gpg key from the same domain as the email records proves the tie between the uid and the key (obviating the need for all this keysigning and web of trust). Making DNS substitute for all these stupid external CAs for web certificates as well (via DANE export of the X509 public key) is also a good idea, as is exporting the ssh host keys and things. However, having maintained DNSSEC for almost a decade now, I'm not going to pretend it's something a non-expert sysadmin should be trying: it's very particular and problems are hard to debug; you really have to be in the top tier of expert sysadmins to be successful with it. However, once it is running, bind9 now takes much of the pain out of rolling the domain keys and, if you run a dynamic domain (one that can be updated with nsupdate), you can actually give all your users scoped permission to update their own key records, so if you have an expert sysadmin on the domain, they can make DANE usable for all the non experts. I think the gpg usability problem is that I can't mark my key as being DANE available in the key itself, so gpg would just automatically check the DNS for an update and throw a warning if there was a DNS problem (but still use the cached key). The failure is the users having to figure out that my key is DANE available and then what combinatoric explosion of gpg options they actually need to update it. James