"For decades, Linux kernel developers used Pretty Good Privacy (PGP) to identify developers and their release artifacts. Git's PGP integration enabled signed tags to verify code repository integrity and signed commits to prevent hackers from impersonating legitimate developers."
"Today, kernel maintainers who want a kernel.org account must find someone already in the PGP web of trust, meet them face‑to‑face, show government ID, and get their key signed. The process is like a manual, global scavenger hunt."
"That's because it's tracked by manual scripts, the keys drift out of date, and the public 'who lives where' map creates privacy and social‑engineering risk."
Linux kernel maintainers are developing a new approach to identify developers and verify code authenticity, moving away from the decades-old Pretty Good Privacy (PGP) system. The current PGP web of trust requires developers to meet face-to-face, present government ID, and obtain key signatures from existing trusted members—a manual, globally distributed process that creates privacy risks and maintenance challenges. Recent security incidents, including the 2011 kernel.org breach and the xz utility compromise, highlighted vulnerabilities in the existing system. The new identification method aims to simplify developer verification while reducing privacy exposure and administrative burden. This approach can potentially be adopted by other open-source projects beyond the Linux kernel.
#linux-kernel-security #developer-authentication #pgp-replacement #open-source-verification #cryptographic-identity-management
Read at ZDNET
Unable to calculate read time
Collection
[
|
...
]