ksummit.lists.linux.dev archive mirror
 help / color / mirror / Atom feed
From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
To: "Uwe Kleine-König" <ukleinek@kernel.org>
Cc: Konstantin Ryabitsev <mricon@kernel.org>,
	Greg KH <gregkh@linuxfoundation.org>,
	users@kernel.org, ksummit@lists.linux.dev
Subject: Re: Web of Trust work [Was: kernel.org tooling update]
Date: Tue, 27 Jan 2026 00:33:26 +0100	[thread overview]
Message-ID: <20260127003326.1862e801@foz.lan> (raw)
In-Reply-To: <x5nnix4t2w74flef4xnivzw43gx7wdk7v3cirawq52qfd6qdty@he74b5uk26zc>

On Mon, 26 Jan 2026 18:32:22 +0100
Uwe Kleine-König <ukleinek@kernel.org> wrote:

> > > Just to ensure we're talking about the same thing: This is about calling
> > > a script once a week or so, check the resulting diff, commit and push,
> > > right?  
> > 
> > This is for updates, yes, and this is mostly hands-off except final review.
> > Adding new keys is usually a lot more involved, because there's frequently a
> > back-and-forth required (they sent a key without any signatures, there is not
> > enough signatures, the signatures are too far removed from Linus, etc). We
> > currently have about 600 keys in the keyring we maintain, and we clearly can
> > do a much better job like being more proactive when someone's expiry date is
> > approaching. I'm worried that if we tried to maintain a keyring for several
> > thousand people as opposed to several hundred, this would snowball into an
> > unmaintainable mess.  
> 
> Actually I'd like to see you/us add still more burden and asking
> developers to only hand in keys with an expiry date <= (say) 3 years.
> Something similar to what

I would love to replace my main PGP key with a new one using a strong
post-quantum algorithm[1], and then using revocable sub-keys with a
small expiry periods (3 to 5 years), but there are some technical and
logistical issues [2]:

- gpg 2.4 doesn't seem to support to support it;
- "updating to 2.5 would result in new users generating incompatible 
  LibrePGP keys" (from LWN.net post at [2]);
- a change like that would require to restore the web of trust,
  asking people to resign your certs. Not hard to do on a
  conference, but doing it remotely, the right way, is not trivial.

So, I guess we need to wait for a couple of extra gpg versions
(or alternatives) to do it at the best moment - while keeping
our old keychain in place as a fallback.

[1] Replacing with traditional crypto algorithms is probably not
    worth, as, quantum computers are becoming a reality soon.

[2] https://lwn.net/Articles/1055053/

Thanks,
Mauro

  parent reply	other threads:[~2026-01-26 23:33 UTC|newest]

Thread overview: 42+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-12-10  4:48 kernel.org tooling update Konstantin Ryabitsev
2025-12-10  8:11 ` Mauro Carvalho Chehab
2025-12-10 13:30 ` Thorsten Leemhuis
2025-12-11  3:04   ` Theodore Tso
2025-12-12 23:48   ` Stephen Hemminger
2025-12-12 23:54     ` Randy Dunlap
2025-12-16 16:21 ` Lukas Wunner
2025-12-16 20:33   ` Jeff Johnson
2025-12-17  0:47     ` Mario Limonciello
2025-12-18 13:37       ` Jani Nikula
2025-12-18 14:09         ` Mario Limonciello
2026-01-23  9:19 ` Web of Trust work [Was: kernel.org tooling update] Uwe Kleine-König
2026-01-23  9:29   ` Greg KH
2026-01-23 11:47     ` Mauro Carvalho Chehab
2026-01-23 11:58       ` Greg KH
2026-01-23 12:24         ` Mauro Carvalho Chehab
2026-01-23 12:29           ` Greg KH
2026-01-23 13:57         ` Konstantin Ryabitsev
2026-01-23 16:24     ` James Bottomley
2026-01-23 16:33       ` Greg KH
2026-01-23 16:42         ` Joe Perches
2026-01-23 17:00           ` Steven Rostedt
2026-01-23 17:23         ` James Bottomley
2026-01-23 18:23           ` Konstantin Ryabitsev
2026-01-23 21:12             ` Uwe Kleine-König
2026-01-26 16:23               ` Konstantin Ryabitsev
2026-01-26 17:32                 ` Uwe Kleine-König
2026-01-26 21:01                   ` Konstantin Ryabitsev
2026-01-26 23:23                   ` James Bottomley
2026-01-27  8:39                     ` Uwe Kleine-König
2026-01-27 21:08                       ` Linus Torvalds
2026-02-04 10:49                         ` Uwe Kleine-König
2026-02-05 10:14                           ` James Bottomley
2026-02-05 18:07                             ` Uwe Kleine-König
2026-02-05 18:23                               ` Konstantin Ryabitsev
2026-01-26 23:33                   ` Mauro Carvalho Chehab [this message]
2026-01-26 23:06                 ` Mauro Carvalho Chehab
2026-01-23 21:38             ` James Bottomley
2026-01-23 22:55             ` Mauro Carvalho Chehab
2026-01-23 16:38       ` Konstantin Ryabitsev
2026-01-23 17:02         ` Paul Moore
2026-01-23 18:42 ` kernel.org tooling update Randy Dunlap

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260127003326.1862e801@foz.lan \
    --to=mchehab+huawei@kernel.org \
    --cc=gregkh@linuxfoundation.org \
    --cc=ksummit@lists.linux.dev \
    --cc=mricon@kernel.org \
    --cc=ukleinek@kernel.org \
    --cc=users@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox