Re: Web of Trust work [Was: kernel.org tooling update]

[Konstantin Ryabitsev <mricon@kernel.org>]

On Fri, Jan 23, 2026 at 10:12:39PM +0100, Uwe Kleine-König wrote:
> >   - I am the bottleneck in the process, because all updates have to go through
> >     me; even if we add more people to have access, this would still be a
> >     bottleneck, because the more keys there are in the web of trust, the more
> >     finagling the whole process requires to deal with expirations, key
> >     updates, identity updates, etc. We can rely on modern keyservers for some
> >     of it, but not for third-party signatures, which are key for our
> >     distributed trust.
> 
> Just to ensure we're talking about the same thing: This is about calling
> a script once a week or so, check the resulting diff, commit and push,
> right?

This is for updates, yes, and this is mostly hands-off except final review.
Adding new keys is usually a lot more involved, because there's frequently a
back-and-forth required (they sent a key without any signatures, there is not
enough signatures, the signatures are too far removed from Linus, etc). We
currently have about 600 keys in the keyring we maintain, and we clearly can
do a much better job like being more proactive when someone's expiry date is
approaching. I'm worried that if we tried to maintain a keyring for several
thousand people as opposed to several hundred, this would snowball into an
unmaintainable mess.

> I personally am happy with PGP and I don't see the benefit of using ssh
> keys instead. But I'm open to look at the approach that we will see in
> February.

Supporting ssh keys (along with minisign keys) is a Frequently Requested
Feature (TM) -- not so much among kernel users, but among several other
projects that use non-forge workflows.

PGP and its tools (GnuPG, primarily) are seen as extremely unfriendly, arcane,
and prone to breaking. This is largely a perception problem, I agree, and it's
not helped by efforts like gpg.fail -- I appreciate the work the researchers
have put into it, but I hated the presentation for its "lol pgp" vibe.

> (Maybe apart from self-sustaining) this sounds like PGP. I consider it
> self-sovereign as it's only me who has control over my certificate and
> cross-signatures work fine, too. I agree that using GnuPG isn't nice for
> newcomers and people only using it occasionally. But it is able to do
> all the things we need from it, it has integration in git and mail (and
> also ssh if you want) and I'd hesitate to throw that all over board for
> something shiny new.

For the record, we're not. I don't see a (near) future where PGP will stop
being our recommended attestation mechanism. However, this doesn't stop us
from looking at alternatives, and this effort is exactly what it is -- looking
at alternatives. A group of security researchers are saying they can do a
better job with decentralized trust management and I am happy to let them try
and evaluate the results.

> Having said that, I'd like to support you in the maintenance of the
> pgpkeyring if this is considered helpful.

I do appreciate your work!

Thanks,
-K