Hi all,
I want to give everyone a heads up about the kernel.org outage. As most of you know, kernel.org was compromised by an outside hacker and has been taken down for rebuild. You can find the coverage on lwn.net[1][2][3].
[1] http://lwn.net/Articles/457142/ - Initial notice [2] http://lwn.net/Articles/458809/ - Further details [3] http://lwn.net/Articles/460376/ - An update from H. Peter Alvin
Because kernel.org is central to the kernel development process, particularly since the majority of git trees pulled by Linus live there, the security of kernel.org is of paramount importance. It is critically important that when the kernel.org infrastructure comes back up that it not be vulnerable to another attack, so as part of rebuilding the infrastructure, all of the policies around how developers access kernel.org as well as how Linus pulls maintainer trees is under review.
The reason for this email is to give you a heads up about what you should expect when kernel.org becomes live again. There is a strong likelyhood that maintainers will need to start GPG signing branches that they will ask Linus to pull. Nothing has been decided firmly (indeed, we won't know until Linus himself makes a decision about what he will accept), and it will definitely be a topic for the upcoming Kernel Summit at the end of October. However, it is worth taking the opportunity now to get familiar with GPG and to create a key for yourself. The Debian developers among you will already be familiar with this process, /even if you don't have a kernel.org account/. The Debian keysigning page[4] is a good place to start reading.
[4] http://wiki.debian.org/Keysigning
I'll post more details as I learn them. In the mean time, you can email me if you have any questions and I'll do my best to answer them.
g.
Is there usually a key-signing at UDS? If not, should we organize a Linaro one?
~Deepak
On 26 September 2011 11:31, Grant Likely grant.likely@secretlab.ca wrote:
Hi all,
I want to give everyone a heads up about the kernel.org outage. As most of you know, kernel.org was compromised by an outside hacker and has been taken down for rebuild. You can find the coverage on lwn.net[1][2][3].
[1] http://lwn.net/Articles/457142/ - Initial notice [2] http://lwn.net/Articles/458809/ - Further details [3] http://lwn.net/Articles/460376/ - An update from H. Peter Alvin
Because kernel.org is central to the kernel development process, particularly since the majority of git trees pulled by Linus live there, the security of kernel.org is of paramount importance. It is critically important that when the kernel.org infrastructure comes back up that it not be vulnerable to another attack, so as part of rebuilding the infrastructure, all of the policies around how developers access kernel.org as well as how Linus pulls maintainer trees is under review.
The reason for this email is to give you a heads up about what you should expect when kernel.org becomes live again. There is a strong likelyhood that maintainers will need to start GPG signing branches that they will ask Linus to pull. Nothing has been decided firmly (indeed, we won't know until Linus himself makes a decision about what he will accept), and it will definitely be a topic for the upcoming Kernel Summit at the end of October. However, it is worth taking the opportunity now to get familiar with GPG and to create a key for yourself. The Debian developers among you will already be familiar with this process, /even if you don't have a kernel.org account/. The Debian keysigning page[4] is a good place to start reading.
[4] http://wiki.debian.org/Keysigning
I'll post more details as I learn them. In the mean time, you can email me if you have any questions and I'll do my best to answer them.
g.
-- Grant Likely, B.Sc., P.Eng. Secret Lab Technologies Ltd.
linaro-kernel mailing list linaro-kernel@lists.linaro.org http://lists.linaro.org/mailman/listinfo/linaro-kernel
On Mon, Oct 3, 2011 at 1:20 PM, Deepak Saxena dsaxena@linaro.org wrote:
Is there usually a key-signing at UDS?
I don't know. Ask a Canonical person. :-)
If not, should we organize a Linaro one?
Yes.
On Mon, Oct 03, 2011 at 12:20:38PM -0700, Deepak Saxena wrote:
Is there usually a key-signing at UDS? If not, should we organize a Linaro one?
Copying Jorge.
Yes, there's usually always a massive key-signing at UDS; Jorge, can you get us details as to whether and when the Orlando one is?
For reference, we're talking about the kernel.org compromise:
The reason for this email is to give you a heads up about what you should expect when kernel.org becomes live again. There is a strong likelyhood that maintainers will need to start GPG signing branches that they will ask Linus to pull. Nothing has been decided firmly (indeed, we won't know until Linus himself makes a decision about what he will accept), and it will definitely be a topic for the upcoming Kernel Summit at the end of October. However, it is worth taking the opportunity now to get familiar with GPG and to create a key for yourself. The Debian developers among you will already be familiar with this process, /even if you don't have a kernel.org account/. The Debian keysigning page[4] is a good place to start reading.
linaro-kernel@lists.linaro.org