Re: Web of Trust work [Was: kernel.org tooling update]

[James Bottomley <James.Bottomley@HansenPartnership.com>]

On Fri, 2026-01-23 at 17:33 +0100, Greg KH wrote:
> On Fri, Jan 23, 2026 at 11:24:33AM -0500, James Bottomley wrote:
> > On Fri, 2026-01-23 at 10:29 +0100, Greg KH wrote:
> > > On Fri, Jan 23, 2026 at 10:19:56AM +0100, Uwe Kleine-König wrote:
> > > > Hello Konstantin,
> > > > 
> > > > On 12/10/25 05:48, Konstantin Ryabitsev wrote:
> > > > > ## Web of Trust work
> > > > > 
> > > > > There is an ongoing work to replace our home-grown web of
> > > > > trust solution (that does work but has important bottlenecks
> > > > > and scaling limitations) with something both more distributed
> > > > > and easier to maintain. We're working with OpenSSF to design
> > > > > the framework and I hope to present it to the community in
> > > > > the next few months.
> > > > 
> > > > the current home-grown solution is
> > > > https://git.kernel.org/pub/scm/docs/kernel/pgpkeys.git/, right?
> > > > 
> > > > I wonder what the bottlenecks and scaling limitations are that
> > > > you mention.
> > > > 
> > > > Is there some info available already now about the path you
> > > > (and OpenSSF) intend to propose?
> > > 
> > > There will be a presentation about this in February at a
> > > conference and hopefully it will be made public then as the work
> > > is still ongoing.
> > 
> > Could you please stop doing this?  The Open Source norm is to
> > release early and often and long before you have stable code so you
> > get feedback incorporated *before* you're committed to something.
> 
> I'm not doing anything here, sorry.

You're listed as a presenter on the session Mauro pointed to.  And
you're the only kernel developer on it, so I was presuming you were
helping them out with kernel requirements.  If that's not true then we
have even more cause to worry that people who don't understand how we
work are coming up with what they consider to be a "solution" without
any consultation.

> > You're making it very hard for those of us engaged in open source
> > advocacy inside various companies because we seem to spend a lot of
> > our time trying to get our engineers not to drop fully polished
> > projects into the public view but engage early on prototypes.  It
> > rather undermines our position if they can point to the Linux
> > Foundation and say "but they do it so why shouldn't we?".
> 
> When there is something that is reviewable, it will be released as a
> starting point for everyone to review and comment on, like any other
> normal open source project.  It's as if you don't think we know how
> any of this works...
> 
> Surely you don't want us to be touting a bunch of vaporware at this
> point in time, right?

There's a fairly reasonable separation between touting vapourware and
discussing requirements.  You're already causing requirements based
questions in the community, like worrying that we're ditching pgp that
Konstantin just answered.  A lot of us have a variety of solutions to
the web of trust problem.  I think you already know I use DNS based
distribution of my keys over DANE and am happy with it, but it's not
available to everyone  because you need to ground your email in a
DNSSEC backed domain to use it (and kernel.org still doesn't use
DNSSEC).  I'd be unhappy if DANE stopped working for the kernel web of
trust simply because no-one thought about it.

Regards,

James