Hello, all: I'm reaching out to you because you're a security-oriented mailing list and would likely be among the folks most interested in end-to-end cryptographic patch attestation features -- or, at least, you're likely to be least indifferent about it. :) In brief: - the mechanism I propose uses an external mailing list for attestation data, so list subscribers will see no changes to the mailing list traffic at all (no proliferation of pgp signatures, extra junky messages, etc) - attestation can be submitted after the fact for patches/series that were already sent to the list, so a maintainer can ask for attestation to be provided post-fact before they apply the series to their git tree - a single attestation document is generated per series (or, in fact, any collection of patches) For technical details of the proposed scheme, please see the following LWN article: https://lwn.net/Articles/813646/ The proposal is still experimental and requires more real-life testing before I feel comfortable inviting wider participation. This is why I am approaching individual lists that are likely to show interest in this idea. If you are interested in participating, all you need to do is to install the "b4" tool and start submitting and checking patch attestation. Please see the following post for details: https://people.kernel.org/monsieuricon/introducing-b4-and-patch-attestation With any feedback, please email the tools@xxxxxxxxxxxxxxxx list in order to minimize off-topic conversations on this list. Thanks in advance, -- Konstantin Ryabitsev The Linux Foundation
