kernel.org no longer centrally signs submissions
Posted Nov 8, 2011 20:56 UTC (Tue) by raven667
In reply to: kernel.org no longer centrally signs submissions
Parent article: KS2011: Kernel.org report
With the new system, when I look at a file I know it came from some identifiable individual I don't know anything about. With the old one, I know it came from kernel.org. I know something about kernel.org. I know it's set up (and always has been) to tend not to accept garbage.
If I understand correctly you don't have any reason to trust the old style kernel.org signature as it doesn't say anything about where the code came from or whether it is garbage or not since everything was automatically signed. All it told you is that the person who uploaded it had legitimate or illicit access to the kernel.org server, nothing more.
You could just assume trust for anything signed, which would be the same security posture as before. It'd be great if there were more easily accessible, clear and accurate documentation on how to do useful signature verification. I just checked the kernel.org signature page and it looked like it hasn't been updated in a decade.
to post comments)