After the #OpenPGP keysigning party at @embeddedrecipes with 20 registered (and several ad-hoc) participants the first signatures landed on the keyservers. The strong set size (only considering the 20 registered certificates) increased from 6 to 12.
I implemented changes for the tool that is used to manage the kernel’s #OpenPGP keyring repo. If @monsieuricon merges it, that makes my trust path degenerate from current trust paths to trust path without SHA-1. For others it’s worse …
PGP is used to sign and (hopefully) also verify pull requests. For a big and relevant part of our community the certifications and cross signatures that are the computational base for the trust in the transferred code changes are already long established.
The problem here is that security is a moving target and the algorithms used back then are not considered secure any more. For example GnuPG (and also other OpenPGP implementations) don’t consider SHA-1 secure any more. See my blog for some effects of that on the kernel Web of Trust.