Hello Konstantin,

On 1/23/26 19:23, Konstantin Ryabitsev wrote:
> They are primarily working with me, and just so it's clear -- this is not
> any kind of assured thing. Here's where things stand:
> 
> - they asked us how we currently do our trust framework and I described the
>   process and its drawbacks, which are real:
> 
>   - I am the bottleneck in the process, because all updates have to go through
>     me; even if we add more people to have access, this would still be a
>     bottleneck, because the more keys there are in the web of trust, the more
>     finagling the whole process requires to deal with expirations, key
>     updates, identity updates, etc. We can rely on modern keyservers for some
>     of it, but not for third-party signatures, which are key for our
>     distributed trust.

Just to ensure we're talking about the same thing: This is about calling
a script once a week or so, check the resulting diff, commit and push,
right?

>   - We can't reasonably expand this to all kernel developers (not just
>     maintainers), because of constant churn of people coming, going, taking
>     breaks, etc. Maintaining the web of trust consisting of thousands of keys,
>     as opposed to hundreds, would become a full-time job if we stick to how
>     it's currently done (via the git repo and manual verification on my part
>     for all key additions).
>   - We're limited to PGP only, but it would be nice to also support something
>     like fido2 ssh key signatures.

I personally am happy with PGP and I don't see the benefit of using ssh
keys instead. But I'm open to look at the approach that we will see in
February.

> - they said they could come up with something that would use self-sovereign
>   did's that would allow scaling the trust framework to all kernel developers
>   and be self-sustaining and verifiable via cross-signatures.

123456789012345678901234567890123456789012345678901234567890123456789012

(Maybe apart from self-sustaining) this sounds like PGP. I consider it
self-sovereign as it's only me who has control over my certificate and
cross-signatures work fine, too. I agree that using GnuPG isn't nice for
newcomers and people only using it occasionally. But it is able to do
all the things we need from it, it has integration in git and mail (and
also ssh if you want) and I'd hesitate to throw that all over board for
something shiny new. I wonder if a new tool that covers all the needed
use-cases can be considerably simpler than PGP. And if that new tool
allows to let me continue using my PGP certificate, the complexity
cannot be less than PGP alone.

Having said that, I'd like to support you in the maintenance of the
pgpkeyring if this is considered helpful.

Best regards
Uwe