[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PULL v3 00/14] acpi, pc, pci, virtio, memory bug fixes

From: Peter Maydell
Subject: Re: [Qemu-devel] [PULL v3 00/14] acpi, pc, pci, virtio, memory bug fixes
Date: Tue, 11 Mar 2014 12:31:28 +0000

On 11 March 2014 12:22, Michael S. Tsirkin <address@hidden> wrote:
> But a chain of trust can still be established.
> A bunch of people signed my key:
> http://pgp.mit.edu/pks/lookup?op=vindex&search=0xC3503912AFBE8E67
> maybe you trust some of these keys?

If we want to (a) collectively decide what we're going
to count as sufficient trust [eg "any three other core
developers" or whatever the usual metric is and (b)
somebody wants to tell me how to configure gpg to do
that, that's fine with me. At the moment I'm just using
gpg's out-of-the-box config, which seems to mean "only
trust keys directly signed".

> I'm just saying that it's not nice to ignore warnings as a general
> policy.  If they are benign I think it's better to find a way to
> suppress them.

The way to suppress them in this case is to (a) figure
out how much trust we want to place in indirect chains
between pull-appliers and senders and (b) have more
key signings...

-- PMM

reply via email to

[Prev in Thread] Current Thread [Next in Thread]