Re: [PATCH v2] Documentation/process: kernel maintainer PGP guide

From: Konstantin Ryabitsev
Date: Thu Feb 01 2018 - 15:50:32 EST


On Thu, Feb 01, 2018 at 11:14:50AM -0700, Jonathan Corbet wrote:
- Capitalizing "Kernel" bugs me. Obviously not a big deal.

Noted.

- The "master keys vs. subkeys" section is nice, but it's missing one
thing, IMO: a sentence saying what a subkey *is* in the first place.

I'll work that in for subsequent changes

- We don't normally endorse commercial products in kernel docs. OTOH, I
don't see any other way for people to know which keycards they should
get. This section is sure to go obsolete as products come and go,
though - you're on the hook for maintaining it :)

If we wanted to avoid this, one way would be to refer people to the "Protecting Code Integrity" guide for smartcard recommendations, though it uses slightly different criteria (Mac users suddenly become important).

- The suggestion to sign individual commits is, as I understand it,
controversial (Linus doesn't agree with it) and is 100% contrary to
current practice. Are there any signed commits in the kernel repo
now? Given that, I'm a bit nervous about putting commit-signing
forward as standard practice.

Linus isn't against it, he just points out that it serves no purpose -- the only thing that needs to be signed is the tip of each branch. Since each commit contains the parent checksum of the previous commit, that provides a backward chain for the rest of the branch, and that is sufficient to give cryptographic assurances for the remainder of all repo objects without needing to separately sign each of the commits leading to the tip.

And, of course, all those PGP signatures are lost when commits are converted to patches, so in his view the whole thing is pretty pointless. All he needs is signatures on tags that he pulls directly from maintainers.

However, there is currently no way to tell git "sign just the tip of the branch" -- I'm not even sure how it would work, because git has no knowledge of your intentions. A tip may only remain a tip for a couple of seconds before you add more commits. And should signatures be removed from previous commit tips, or just left there? And if so, why not just sign every commit anyway, since it doesn't *hurt* anything, especially if gpg-agent is properly configured -- it's just a background operation that doesn't even slow down your work if you use ECC subkeys.

Anyway, I feel it should remain as a weak recommendation just in case someone has to prove at any point their authorship of a specific commit, but I'm happy to change it, remove it, or add more detail explaining the above if you think the section should be expanded. I can talk about it for pages on end, I was just trying to be succinct. ;)

- I'm not quite sure what the "finding paths to Linus" link is supposed
to do for the reader.

The idea is that it's a weak substitute for a web of trust. If someone isn't keeping one going, then using the PGP Pathfinder will give them at least *some* indication about whether the key is trusted or not. I do agree that if you don't already know what you're looking at, the output is fairly opaque. It's long been my desire to put together a kernel.org-specific tool where you can check similar data using pretty graphs (e.g. https://mricon.com/misc/korg-wot-graph.png), but I haven't had a chance yet.

Anyway, these are all quibbles, and I think the documentation is
definitely improved by having this, so I'm going ahead and applying it.
It may be worth considering some tweaks for the issues above, though, as
time allows.

Will do, thank you for the feedback!

-K