From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
To: "Uwe Kleine-König" <ukleinek@kernel.org>
Cc: Konstantin Ryabitsev <mricon@kernel.org>,
Greg KH <gregkh@linuxfoundation.org>,
users@kernel.org, ksummit@lists.linux.dev
Subject: Re: Web of Trust work [Was: kernel.org tooling update]
Date: Tue, 27 Jan 2026 00:33:26 +0100 [thread overview]
Message-ID: <20260127003326.1862e801@foz.lan> (raw)
In-Reply-To: <x5nnix4t2w74flef4xnivzw43gx7wdk7v3cirawq52qfd6qdty@he74b5uk26zc>
On Mon, 26 Jan 2026 18:32:22 +0100
Uwe Kleine-König <ukleinek@kernel.org> wrote:
> > > Just to ensure we're talking about the same thing: This is about calling
> > > a script once a week or so, check the resulting diff, commit and push,
> > > right?
> >
> > This is for updates, yes, and this is mostly hands-off except final review.
> > Adding new keys is usually a lot more involved, because there's frequently a
> > back-and-forth required (they sent a key without any signatures, there is not
> > enough signatures, the signatures are too far removed from Linus, etc). We
> > currently have about 600 keys in the keyring we maintain, and we clearly can
> > do a much better job like being more proactive when someone's expiry date is
> > approaching. I'm worried that if we tried to maintain a keyring for several
> > thousand people as opposed to several hundred, this would snowball into an
> > unmaintainable mess.
>
> Actually I'd like to see you/us add still more burden and asking
> developers to only hand in keys with an expiry date <= (say) 3 years.
> Something similar to what
I would love to replace my main PGP key with a new one using a strong
post-quantum algorithm[1], and then using revocable sub-keys with a
small expiry periods (3 to 5 years), but there are some technical and
logistical issues [2]:
- gpg 2.4 doesn't seem to support to support it;
- "updating to 2.5 would result in new users generating incompatible
LibrePGP keys" (from LWN.net post at [2]);
- a change like that would require to restore the web of trust,
asking people to resign your certs. Not hard to do on a
conference, but doing it remotely, the right way, is not trivial.
So, I guess we need to wait for a couple of extra gpg versions
(or alternatives) to do it at the best moment - while keeping
our old keychain in place as a fallback.
[1] Replacing with traditional crypto algorithms is probably not
worth, as, quantum computers are becoming a reality soon.
[2] https://lwn.net/Articles/1055053/
Thanks,
Mauro
next prev parent reply other threads:[~2026-01-26 23:33 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-10 4:48 kernel.org tooling update Konstantin Ryabitsev
2025-12-10 8:11 ` Mauro Carvalho Chehab
2025-12-10 13:30 ` Thorsten Leemhuis
2025-12-11 3:04 ` Theodore Tso
2025-12-12 23:48 ` Stephen Hemminger
2025-12-12 23:54 ` Randy Dunlap
2025-12-16 16:21 ` Lukas Wunner
2025-12-16 20:33 ` Jeff Johnson
2025-12-17 0:47 ` Mario Limonciello
2025-12-18 13:37 ` Jani Nikula
2025-12-18 14:09 ` Mario Limonciello
2026-01-23 9:19 ` Web of Trust work [Was: kernel.org tooling update] Uwe Kleine-König
2026-01-23 9:29 ` Greg KH
2026-01-23 11:47 ` Mauro Carvalho Chehab
2026-01-23 11:58 ` Greg KH
2026-01-23 12:24 ` Mauro Carvalho Chehab
2026-01-23 12:29 ` Greg KH
2026-01-23 13:57 ` Konstantin Ryabitsev
2026-01-23 16:24 ` James Bottomley
2026-01-23 16:33 ` Greg KH
2026-01-23 16:42 ` Joe Perches
2026-01-23 17:00 ` Steven Rostedt
2026-01-23 17:23 ` James Bottomley
2026-01-23 18:23 ` Konstantin Ryabitsev
2026-01-23 21:12 ` Uwe Kleine-König
2026-01-26 16:23 ` Konstantin Ryabitsev
2026-01-26 17:32 ` Uwe Kleine-König
2026-01-26 21:01 ` Konstantin Ryabitsev
2026-01-26 23:23 ` James Bottomley
2026-01-27 8:39 ` Uwe Kleine-König
2026-01-27 21:08 ` Linus Torvalds
2026-02-04 10:49 ` Uwe Kleine-König
2026-02-05 10:14 ` James Bottomley
2026-02-05 18:07 ` Uwe Kleine-König
2026-02-05 18:23 ` Konstantin Ryabitsev
2026-01-26 23:33 ` Mauro Carvalho Chehab [this message]
2026-01-26 23:06 ` Mauro Carvalho Chehab
2026-01-23 21:38 ` James Bottomley
2026-01-23 22:55 ` Mauro Carvalho Chehab
2026-01-23 16:38 ` Konstantin Ryabitsev
2026-01-23 17:02 ` Paul Moore
2026-01-23 18:42 ` kernel.org tooling update Randy Dunlap
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260127003326.1862e801@foz.lan \
--to=mchehab+huawei@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=ksummit@lists.linux.dev \
--cc=mricon@kernel.org \
--cc=ukleinek@kernel.org \
--cc=users@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox