Re: leaking_addresses script..

From: Tobin C. Harding
Date: Wed Nov 15 2017 - 16:33:26 EST


On Wed, Nov 15, 2017 at 01:20:20PM -0800, Linus Torvalds wrote:
> On Wed, Nov 15, 2017 at 1:11 PM, Tobin C. Harding <me@xxxxxxxx> wrote:
> >
> > Linus I'm not in the web of trust, pulling a tag signed by an _unknown_
> > key is not secure is it? Would it not be better to get into the web of
> > trust first before requesting you pull any code from me.
>
> Oh, I absolutely take signed pulls from new people who haven't gotten
> their keys with a full chain of trust to me..

Awesome, new tag signed pull request to come.

> I do it for a few different reasons:
>
> - the real trust is *never* in the key. People who trust
> technological measures are morons. You trust *people*, not keys. The
> technical measures are a shorthand and a help, not the basis.
>
> - I can just check the code
>
> - even if you never get your key signed by anybody else, it's still a
> sort of "identity" in the sense of me getting the pull requests from
> the same person (or key controlling group)
>
> - you probably *will* get your key signed by somebody else later, and
> it's all good, and that will show even in the commits before you got
> the signing done.
>
> It's not like we require that people send emailed patches with pgp
> signing either.
>
> So I require keys for pull requests even if I can't see the full chain
> of trust simply because of those two last issues: it's still an
> identity, and one that I expect will eventually be signed.

Thanks for taking the time it explain things to me. Please expect all
future 'process' mistakes by myself to come in multiples - I know you are
so quick on the email as soon as I notice a mistake I rush to fix it,
usually botching it again :)

Again, thanks,
Tobin.