Re-send with the _actual_ CC's
Adding to CC: Greg, Steve, Paul - kernel developers CC'd on leaking
addresses stuff that may know my face.
Adding to CC: Michael - closest kernel developer by proximity that I
have had direct correspondence with.
Adding to CC: Konstantin - previous correspondence re kernel.org tree hosting.
On Tue, Nov 14, 2017 at 02:45:59PM -0800, Linus Torvalds wrote:
> On Tue, Nov 14, 2017 at 1:03 PM, Tobin C. Harding <[email protected]> wrote:
> >
> > I did not sign the tag, it looks like you have not processed this yet.
> > Do you want me to re-do the pull request on a signed tag?
>
> When pulling from github? Absolutely.
Linus I'm not in the web of trust, pulling a tag signed by an _unknown_
key is not secure is it? Would it not be better to get into the web of
trust first before requesting you pull any code from me.
Web of trust presents a social problem that I am not versed in. With my
limited knowledge I can present the following solutions.
1. Get my key signed at linux.conf.au in January in Sydney.
2. Request a video call with _some_ number of kernel developers to sign
key (suggested by Konstantin).
3. Drive to Canberra and meet face to face with Michael to sign key
(if he would agree to that).
I'm guessing I've missed the boat for this merge window so the option
that imposes the least on other developers time is option 1, get my key
signed by a bunch of kernel developers at LCA.
Also, once I get in the web of trust I can apply to get my tree hosted
on git.kernel.org so you don't have to pull from GitHub.
Please advise when, and if, you have time.
thanks,
Tobin.
From 1584171767735150774@xxx Wed Nov 15 22:12:07 +0000 2017
X-GM-THRID: 1584171767735150774
X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread
On Thu, Nov 16, 2017 at 08:11:24AM +1100, Tobin C. Harding wrote:
>On Tue, Nov 14, 2017 at 02:45:59PM -0800, Linus Torvalds wrote:
>> On Tue, Nov 14, 2017 at 1:03 PM, Tobin C. Harding <[email protected]> wrote:
>> >
>> > I did not sign the tag, it looks like you have not processed this yet.
>> > Do you want me to re-do the pull request on a signed tag?
>>
>> When pulling from github? Absolutely.
>
>Linus I'm not in the web of trust, pulling a tag signed by an _unknown_
>key is not secure is it? Would it not be better to get into the web of
>trust first before requesting you pull any code from me.
Many kernel developers use "Trust on First Use" (TOFU) approach, which
is not unreasonable -- it's what ssh has been using for the past couple
of decades. In the end, the goal of tag signing is not to verify your
*identity* but to verify that Tobin C. Harding from today is the same
Tobin C. Harding whose code was reviewed and merged 3 months ago.
>Also, once I get in the web of trust I can apply to get my tree hosted
>on git.kernel.org so you don't have to pull from GitHub.
We have different rules for issuing actual accounts at kernel.org. We
*do* rely on the web of trust, since I personally have no way of
verifying who is a real developer and who isn't. Even then, I don't
really care about your identity as much as I need to have assurances
from other members of kernel.org that they have worked with you
previously and they can vouch that you are their fellow kernel
developer.
-K
From 1584248900666209415@xxx Thu Nov 16 18:38:07 +0000 2017
X-GM-THRID: 1584248900666209415
X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread