A review of the kernel's release-signing practices

At the behest of the Linux Foundation, a security-oriented review of the
kernel project's release-signing and key-management practices was done; the
report from this work has now been published.

This review
resulted in seven recommendations that can help improve the robustness of
the security and use of the signing keys for the Linux
Kernel. Additionally, Trail of Bits suggested that more comprehensive and
up to date documentation on the current procedures and policies are needed
to help organizations around the world to best understand the current
stratagem.

See the
full report for the details.