Maintaining the kernel's web of trust
Maintaining the kernel's web of trust
Posted Sep 5, 2019 8:54 UTC (Thu) by nilsmeyer (guest, #122604)In reply to: Maintaining the kernel's web of trust by weberm
Parent article: Maintaining the kernel's web of trust
Posted Sep 5, 2019 9:12 UTC (Thu)
by weberm (guest, #131630)
[Link]
There's new data coming in from kernel.org and you have a new signature from a new contributor. How do you establish that you trust them? Your local copy doesn't help.
There is no trustworthy information authority, IMO, aside from, say Konstantin's local git repo copy (if he is the person to extend the git repo with new signatures). It's kind of a circular argument IMO once you involve kernel.org.
Maintaining the kernel's web of trust
At some point in time Tx you get the initial clone, how do you know that T_attack is not < Tx ?
-> You gotta talk to someone else, not kernel.org
-> You gotta talk to someone else, not kernel.org