Follow ZDNET: Add us as a favorite source On Google.
ZDNET Highlights
- The Linux kernel is moving toward a better way to identify developers and their code.
- This new approach can be used by other open-source projects.
- It’s not being rolled out yet, but I hope to have it deployed by this time next year.
Napa, California – In the immortal words of song developer Pete Townshend, “Well, who are you? (Who are you? Who, who, who, who?) I really wanna know!” Linux kernel maintainers have the same question: who are their programmers, and how can the kernel community be sure that the code they submit is actually theirs?
For decades, Linux kernel developers used Very Good Privacy (PGP) Identifying developers and their release artifacts. Git’s PGP integration enables signed tags to verify code repository integrity And signed commitments to prevent hackers from impersonating legitimate developers.
Also: The latest Linux kernel release ends the 6.x era – and it’s a gift for cloud administrators
In 2011, hackers successfully hacked the main Linux development site, kernel.org. Later, to ensure that this would not happen again, the kernel’s PGP Web of Trust was apparently “bootstrapped” in a face-to-face key-signing session during the 2011 Kernel Summit.
Just recently, the xz utility was compromised by a malicious developer, almost causing malware to infect Linux.
a painful process
Today, kernel maintainers who want a kernel.org account already have to find someone in the PGP web of trust, meet them face-to-face, show government ID, and get their key signed. The process is like a manual, global scavenger hunt. Linux kernel maintainer Greg Kroah-Hartman, speaking at the Linux Foundation Members Summit, described it as “a pain to do and manage.” This is because it is tracked by manual scripts, keys become obsolete, and the public’s “who lives where” map creates privacy and social-engineering risks.
Therefore, kernel maintainers are working to replace this fragile PGP key-signing web with a decentralized, privacy-preserving identity layer that can provide guarantees for both developers and the code they sign.
Also: This backdoor has infected Linux almost everywhere: XZ Utilities Close Call
Their new approach, which I’ll call Linux ID, was introduced this week Linux Foundation Decentralized Trust Leaders Daniela Barbosa and Hart Montgomery, with partner Glenn Gore, CEO AffinidaeAn open-standards digital trust company. Linux IDs are intended to give the kernel community a more flexible way to prove who people are, and who they are not, without key-signing parties or ad-hoc video calls.
At the core of Linux ID is a set of cryptographic “proofs of personality” built on modern digital identity standards rather than traditional PGP key signatures. Instead of a single monolithic web of trust, the system issues and exchanges personality certificates and verifiable certificates that prove “this person is a real person,” “this person is the company
Issuer-agnostic and composable
These credentials can be determined in several ways: government-issued digital ID, where available; Third-party identity verifiers similar to visa application centers; employer; or the Linux Foundation itself acting as an issuer.
Montgomery stressed that the model is intentionally issuer-agnostic and composable: if two developers share trust in different issuers, they can still find overlapping trust paths, and the more independent issuers exist, the stronger the overall system becomes.
Also: I’ve used Windows for decades, but I tried Linux to see if it’s really ‘easier’ now – and one thing surprised me
Technically, Linux IDs are built around decentralized identifiers (DIDs). It is a W3C‑style mechanism for creating globally unique IDs and associating public keys and service endpoints with them. Developers potentially create DIDs using existing Curve25519‑based keys from today’s PGP world, and publish DID documents through secure channels such as HTTP‑based “did:web” endpoints that expose their public key infrastructure and where to send encrypted messages.
Additionally, the project uses a decentralized messaging fabric that can be REST, DIDCommOr any other trust-spanning protocol. It enables participants to establish connections and exchange credentials without revealing their physical location or network topology. Each connection uses its own random, short-lived DID, making it hard for observers running the messaging infrastructure to guess who is talking to whom or to map the social graph of the kernel.
In a live demo, Gore demonstrated how a new developer creates an identity without any prior credentials, joins the Linux Foundation community, and then establishes a connection with another participant using the paired DID. Once that relationship exists, both parties can exchange rich, verifiable relationship credentials (VRCs) that record facts such as when the relationship began, the level of trust reflected, and how long the credential should remain valid.
Also: AI is entering the Linux kernel – and official policy is needed ASAP
For kernel maintainers, the idea is that these credentials will support the identity behind the signed code: instead of relying solely on a PGP key signed at a conference years ago, maintainers can check a bundle of fresh credentials that prove that the key they see belongs to the same person recognized by the Linux Foundation, their employer, or other trusted issuers. These credentials can be fed into transparency logs and other audit systems.
Montgomery and others were careful to say that Linux IDs would not magically prevent another xz‑style supply‑chain attack, but they argued that it significantly increases the costs. Instead of a single PGP key and a few signatures, an attacker would need to collect and maintain multiple, short-lived credentials from issuers who can revoke them and from community members whose own reputations are at play, while their activity is streamed to public or semi-public transparency logs.
It’s a technology stack, not a fixed policy
The design of the system also pushes toward short-lived verification: issuers are incentivized to issue credentials valid for days or weeks, not years, and to rely on trust registries that can flag revoked credentials even if the issuer and holder are not in direct contact. That combination of rolling credentials and registry-supported revocation gives the community more levers to respond when a contributor turns out not to be who they claimed to be or when a genuine developer’s device or keys are compromised.
Also: Why my favorite Linux distro is slowing down – and I’m thrilled about it
A theme repeated throughout the session was that Linux ID is a technology stack, not a fixed policy. Various communities, from the core kernel to other Linux Foundation projects, will be able to choose which issuers they trust, what level of proof they require for different roles, and whether AI agents can act under delegated credentials to perform automated tasks like continuous integration or patch testing.
The same mechanism that pledges a maintainer to a human contributor can cryptographically delegate limited rights to an AI agent or service, with separate credentials and trust contexts that can be freely revoked if something goes wrong. researchers of Harvard Applied Social Media Lab And others are already experimenting with compatible apps that mix human and AI participants in the same credential-aware conversations, hinting at how Linux ID could tie in with future developer tooling.
Linux ID has not been deployed yet. Kroh-Hartman said the effort is still in the exploratory and prototype phase. Plan to take the discussion forward linux plumber and this kernel summit In the coming year. In the near term, kernel.org can import its existing PGP Web of Trust into the new system to ease the migration, while maintainers can begin testing tools in parallel to today’s PGP-based processes.
Also: I found the best Linux server distros for your home lab
Barbosa and others framed the work as part of the Linux Foundation’s broader effort to pioneer a decentralized trust infrastructure. In other words, this technology is not just for kernel developers. This is for any open-source community or AI-powered ecosystem facing a rapidly worsening identity and authenticity crisis.
Once deployed, future developers and code will be backed not only by a signed tag but by a rich, cryptographically verifiable story about who stands behind it. This means that Linux code will be more secure than ever.
