Re: [Qemu-devel] [PULL v3 00/14] acpi, pc, pci, virtio, memory bug fixes

[Michael S. Tsirkin]

On Tue, Mar 11, 2014 at 11:32:41AM +0000, Peter Maydell wrote:
> On 11 March 2014 11:22, Michael S. Tsirkin <address@hidden> wrote:
> > BTW I still see these warnings in the logs:
> >     # gpg: WARNING: This key is not certified with a trusted signature!
> >     # gpg:          There is no indication that the signature belongs to
> >     # the
> >
> > These seem counter-productive: people get used
> > to ignoring the warnings.
> > A bunch of people verified my key at the latest KVM forum
> > so how about importing keys from contributors
> > and denying pulls where keys don't match?
> 
> That won't help with removing the warning. What gpg
> is saying here is "I found this key in the keyring,
> and the signature checks out, but there's no chain
> of trust between the person who applied the pull
> and that key". That is, I haven't signed your key.

Okay ... would you like to sign it?
Didn't you go to the key signing party at the forum?
If yes you have all the data :)

> The other kind of warning is:
>     # gpg: Signature made Sat 08 Mar 2014 21:26:01 GMT using RSA key ID 
> 5872D723
>     # gpg: Can't check signature: public key not found
> 
> which means "I didn't find the gpg key in the keyring".
> 
> Genuinely mismatching signatures would be a gpg
> error rather than a mere warning, I think.
> 
> Since we're still accepting unsigned pullrequests
> I don't think this matters too much. In either case
> if somebody really cares later they can attempt to
> establish a chain of trust between themselves and the
> submitter after the fact, I guess.

But the commit log will include the warning forever I think?

> Personally I think the next step we should take would
> be to get all the people currently submitting unsigned
> pull requests to move over to signing them.
> 
> thanks
> -- PMM

I think this was agreed on the forum so you
can start enforcing this straight away if you wish :)

-- 
MST