Linux explores new way of authenticating developers and their code – here’s how it works
Linux explores new way of authenticating developers and their code – here’s how it works
Publish Date: 2026-02-26 15:24:00
Source Domain: www.zdnet.com
Yuichiro Chino/Moment via Getty Images
Follow ZDNET: Add us as a preferred source on Google.
ZDNET’s key takeaways
- The Linux kernel is moving toward a better way of identifying developers and their code.
- This new approach can be used by other open-source projects.
- It’s not being rolled out yet, but I expect it to be deployed by this time next year.
NAPA, Calif. — In the immortal words of song developer Pete Townshend, “Well, who are you? (Who are you? Who, who, who, who?) I really wanna know!” Linux kernel maintainers have the same question: Who are their programmers, and how can the kernel community be sure the code they submit is really theirs?
For decades, Linux kernel developers used Pretty Good Privacy (PGP) to identify developers and their release artifacts. Git’s PGP integration enabled signed tags to verify code repository integrity and signed commits to prevent hackers from impersonating legitimate developers.
Also: The latest Linux kernel release closes out the 6.x era – and it’s a gift to cloud admins
In 2011, hackers successfully cracked the main Linux development site, kernel.org. Afterward, to make sure this didn’t happen again, the kernel’s PGP web of trust was explicitly “bootstrapped” at a face-to-face key‑signing session during the 2011 Kernel Summit.
More recently, the xz utility was compromised by a malicious developer, almost leading to malware infecting Linux.
A painful process
Today, kernel maintainers who want a kernel.org account must find someone already in the PGP web of trust, meet them face‑to‑face, show government ID, and get their key signed. The process is like a manual, global scavenger hunt. Linux kernel maintainer Greg Kroah-Hartman, speaking at the Linux Foundation Members Summit, described it as a “pain to do and manage.” That’s because it’s tracked by manual scripts, the keys drift out of date, and the public “who lives where” map creates privacy and social‑engineering risk.
Therefore, the kernel maintainers are…
