The Linux Kernel's PGP Web of Trust
12 comments
·May 9, 2025jmclnx
Seems this is related to SHA1 being used on gnupg. Will be interesting on how this plays out when SHA1 in gpg is obsoleted. I am not looking forward to that.
Then there is the added complexity of git using SHA1, I do not know if that has been changed yet.
Fun times ahead.
FWIW, I changed my git commit signing to ssh-ed25519 from gnupg about a month ago.
freeopinion
Didn't GPG change its default to ed25519 four years ago?
https://lists.gnupg.org/pipermail/gnupg-announce/2021q2/0004...
kpcyrd
ssh-ed25519 is different from a gnupg ed25519 key, since it doesn't have any of the technical baggage that gnupg has. Even with ed25519, sha1 is still hardcoded into RFC4880, the standard that gnupg implements. Fingerprints are typically 40 characters long since they are hex sha1 hashes. There's RFC9580 that changes this to sha256, but it's still very new and currently being finalized.
But even then, when using ed25519+sha256 to generate a signature, you're still going to do this over a sha1 hash because of the way git works.
arccy
or... gpg gets obsoleted along with sha1
NooneAtAll3
> since more than 20 years.
a bit sad that "since for time_points, for for time_duration" grammar rule isn't as well known as it should
crote
It's his second language. I think we can cut him some slack.
NoahKAndrews
It's not like that's even a common mistake, in my experience
immibis
"since <duration>" is the normal grammar in German and has the semantics of "since subtract(now, <duration>)" as you would expect
Tomte
German. "seit" for both.
owl_vision
since we are at time constructs, german also uses "wenn" when english uses "if" or "when".
owl_vision
from constructive corrections, we learn our grammatical, semantical mistakes, hence we move forward to better understand each other.
Nice write-up. Thanks for sharing.
Some may not remember BitKeeper being used to maintain the Linux kernel source code and how a discrepancy was found (22 years ago) between that repo and the CVS repo. This kind of led to git and signed commits that we have today, etc.
Here's a short write up: https://blog.citp.princeton.edu/2013/10/09/the-linux-backdoo...