On Wed, Jun 15, 2016 at 8:40 AM, Lukas Wunner <lukas@xxxxxxxxx> wrote: > > So how should changes to drivers/thunderbolt/ be merged in the future? > > Andreas could probably send pulls directly to Linus, but I'm not sure > what the requirements are. I believe Linus wants signed tags. The trust > path from Linus to me is 4 hops and I've signed Andreas' key today, > yielding a 5 hop trust path: > > Is there an upper limit on the acceptable length of the trust path? > Does the key have to be signed by another maintainer? I care not one whit about the idiotic gpg "trust path" crap. To me, signatures are not about technicalities. I absolutely abhor all the crazy people who think that signatures are about automatic web of trust, and spend a lot of time on things like subkeys that expire every six months etc (you know who you are). To me, that is just complete gpg masturbation, and completely misses the point about "trust". Trust is not about the gpg signature. Trust is about the *person*. And the gpg signature is a good and reasonable approximation of an ID. But it's not some kind of absolute thing. I'd much rather get an email from a current maintainer that I trust, saying "look, there's going to be a new maintainer for this part of the tree, and I signed his gpg keym and the fingerprint of that is so-and-so. Then, I'll do a "gpg --fetch-key", so that I have that particular key in my keyring, and can verify that "ok, yes, I recognize the key that signed it". At no point do I start counting hops. And if you lose your key, screw the whole crazy "key revocation protocol". Its a joke. Most people who lost their keys will not have any revocation key either. Just let me and others know. I'll just remove that key from my keychain. What makes me look at a key is "I've never seen this key before". The most common reason is the people who do that f*cking annoying "let's refresh signing keys every six months whether I need it or not because I auto-expire them". Then I'll have to look at why the hell I'm getting a signed pull request with a new key. So don't worry about technicalities. I've pulled from people who had not a single signature on their keychain, because they just were in the wrong spot. I'd rather have a signed pull even then, just so that I see that I get the pull requests from the same person each time, and hopefully in a week (or month, or two), that key will get signatures. Obviously, if you can get five people I know personally signing your key, that makes me worry less about your particular identity, and that's fine. But the *real* trust is something that builds up over time as people are good maintainers. It has absolutely nothing to do with gpg key details. And that *real* trust is what matters a whole lot more than a few random bits that just happen to be part of a pgp key. Linus -- To unsubscribe from this list: send the line "unsubscribe linux-pci" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html