Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: Linus Torvalds <torvalds <at> linux-foundation.org>
Subject: Re: [GIT PULL] KVM fix for 3.1-rc5
Newsgroups: gmane.comp.emulators.kvm.devel
Date: Wednesday 7th September 2011 01:37:02 UTC (over 5 years ago)
On Tue, Sep 6, 2011 at 6:19 PM, Josh Boyer <[email protected]> wrote:
>
> Maybe asking for some extra warm fuzzies from now on wouldn't be a
> horrible idea as general practice.

I think that realistically we should definitely look at our practices,
but at the same time, I personally do put a lot of trust in "human
relationships".

Often way more than "technical models".

So there is a lot of safety in just a purely human "this looks like
the kind of pull request I expect". A lot of kernel developers write
nice messages explaining the pull, and there may not be a
cryptographic signature in text like that, but there is definitely a
"human signature" that you start to expect.

So one of the reasons I react to the github pulls is that even though
I'm actually pretty damn certain they are all the people they purport
to be, the "expected signature" is kind of missing. That's especially
true with a pull request that has just the minimal technically
required information - that is 99% script-generated to begin with.

Put another way: I'm not necessarily looking for cryptography. A reply
to a personal email of mine (that didn't go out to any mailing list)
is already a *much* stronger sign of identity: the person having
access to their email account. And once I know that yes, that github
repository was really set up by Xyz, then getting a pull request from
that is already much more sane and safe.

                         Linus
--
To unsubscribe from this list: send the line "unsubscribe kvm" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
 
CD: 3ms