On Tue, Sep 6, 2011 at 6:19 PM, Josh Boyer wrote:
> Maybe asking for some extra warm fuzzies from now on wouldn't be a
> horrible idea as general practice.
I think that realistically we should definitely look at our practices,
but at the same time, I personally do put a lot of trust in "human
Often way more than "technical models".
So there is a lot of safety in just a purely human "this looks like
the kind of pull request I expect". A lot of kernel developers write
nice messages explaining the pull, and there may not be a
cryptographic signature in text like that, but there is definitely a
"human signature" that you start to expect.
So one of the reasons I react to the github pulls is that even though
I'm actually pretty damn certain they are all the people they purport
to be, the "expected signature" is kind of missing. That's especially
true with a pull request that has just the minimal technically
required information - that is 99% script-generated to begin with.
Put another way: I'm not necessarily looking for cryptography. A reply
to a personal email of mine (that didn't go out to any mailing list)
is already a *much* stronger sign of identity: the person having
access to their email account. And once I know that yes, that github
repository was really set up by Xyz, then getting a pull request from
that is already much more sane and safe.
To unsubscribe from this list: send the line "unsubscribe kvm" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html