[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PULL v3 00/14] acpi, pc, pci, virtio, memory bug fixes

From: Michael S. Tsirkin
Subject: Re: [Qemu-devel] [PULL v3 00/14] acpi, pc, pci, virtio, memory bug fixes
Date: Tue, 11 Mar 2014 13:49:15 +0200

On Tue, Mar 11, 2014 at 11:32:41AM +0000, Peter Maydell wrote:
> On 11 March 2014 11:22, Michael S. Tsirkin <address@hidden> wrote:
> > BTW I still see these warnings in the logs:
> >     # gpg: WARNING: This key is not certified with a trusted signature!
> >     # gpg:          There is no indication that the signature belongs to
> >     # the
> >
> > These seem counter-productive: people get used
> > to ignoring the warnings.
> > A bunch of people verified my key at the latest KVM forum
> > so how about importing keys from contributors
> > and denying pulls where keys don't match?
> That won't help with removing the warning. What gpg
> is saying here is "I found this key in the keyring,
> and the signature checks out, but there's no chain
> of trust between the person who applied the pull
> and that key". That is, I haven't signed your key.

Okay ... would you like to sign it?
Didn't you go to the key signing party at the forum?
If yes you have all the data :)

> The other kind of warning is:
>     # gpg: Signature made Sat 08 Mar 2014 21:26:01 GMT using RSA key ID 
> 5872D723
>     # gpg: Can't check signature: public key not found
> which means "I didn't find the gpg key in the keyring".
> Genuinely mismatching signatures would be a gpg
> error rather than a mere warning, I think.
> Since we're still accepting unsigned pullrequests
> I don't think this matters too much. In either case
> if somebody really cares later they can attempt to
> establish a chain of trust between themselves and the
> submitter after the fact, I guess.

But the commit log will include the warning forever I think?

> Personally I think the next step we should take would
> be to get all the people currently submitting unsigned
> pull requests to move over to signing them.
> thanks
> -- PMM

I think this was agreed on the forum so you
can start enforcing this straight away if you wish :)


reply via email to

[Prev in Thread] Current Thread [Next in Thread]