The Linux Kernel's PGP Web of Trust

https://blog.kleine-koenig.org/ukl/the-linux-kernels-pgp-web-of-trust.html

64•JNRowe•8h ago

Comments

jmclnx•5h ago

Seems this is related to SHA1 being used on gnupg. Will be interesting on how this plays out when SHA1 in gpg is obsoleted. I am not looking forward to that.

Then there is the added complexity of git using SHA1, I do not know if that has been changed yet.

Fun times ahead.

FWIW, I changed my git commit signing to ssh-ed25519 from gnupg about a month ago.

freeopinion•4h ago

Didn't GPG change its default to ed25519 four years ago?

https://lists.gnupg.org/pipermail/gnupg-announce/2021q2/0004...

kpcyrd•2h ago

ssh-ed25519 is different from a gnupg ed25519 key, since it doesn't have any of the technical baggage that gnupg has. Even with ed25519, sha1 is still hardcoded into RFC4880, the standard that gnupg implements. Fingerprints are typically 40 characters long since they are hex sha1 hashes. There's RFC9580 that changes this to sha256, but it's still very new and currently being finalized.

But even then, when using ed25519+sha256 to generate a signature, you're still going to do this over a sha1 hash because of the way git works.

arccy•2h ago

or... gpg gets obsoleted along with sha1

NooneAtAll3•4h ago

> since more than 20 years.

a bit sad that "since for time_points, for for time_duration" grammar rule isn't as well known as it should

Tomte•4h ago

German. "seit" for both.

owl_vision•5m ago

since we are at time constructs, german also uses "wenn" when english uses "if" or "when".

crote•2h ago

It's his second language. I think we can cut him some slack.

NoahKAndrews•2h ago

It's not like that's even a common mistake, in my experience

owl_vision•7m ago

from constructive corrections, we learn our grammatical, semantical mistakes, hence we move forward to better understand each other.

seethishat•1h ago

Nice write-up. Thanks for sharing.

Some may not remember BitKeeper being used to maintain the Linux kernel source code and how a discrepancy was found (22 years ago) between that repo and the CVS repo. This kind of led to git and signed commits that we have today, etc.

Here's a short write up: https://blog.citp.princeton.edu/2013/10/09/the-linux-backdoo...

Paradox Interactive Anounces Europa Universalis 5

You've Never Seen Copyright

Project your earnings with some lines and charts (stripe analytics dashboard)

Sparky Distributed Jobs Flow

Héctor Germán Oesterheld

The Beam

China's AI Job Mirage

Amateur Athletes Are Turning to Ozempic to Raise Their Game

My Sermon on Open Source

37signals is completing its on-prem move, deleting its AWS account save millions

Bluetooth 6.1

Show HN: Scrape Creators – Real time Social media scraping APIs for devs

Run your own MCP servers for 1000s of APIs

Books with a critical perspective on the tech industry

AI makes computers do what I want them to do

Books on how the desire for foods and drugs shaped the world

I created an AI Trading Platform, as well as a community of traders that use it

Google Starts Scanning All Your Emails After Gmail Upgrade

India Supreme Court reverses content takedown order against Wikipedia operator

Buntralino Make better, faster cross-platform desktop apps with Bun

Podcast.today – Daily newsletters to discover new podcasts

I've been here the whole time

How Warren Robinett Made Adventure on the Atari

Quick, stable, self-contained: how we think about CI at Nerve

A.I. can't beat billions of years of natural selection

Cracking the Code: Deciphering How Concrete Can Heal Itself

Valuable Information Leaked in LockBit Ransomware Hack

India's costliest song shot 64 years ago, still rules hearts

Agent built in 3 minutes and used in multiagent orchestration

Show HN: Generate Subresource Integrity (SRI)