[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] Signed pull requests (was: Re: [PULL 00/11] Trivial pat
|
From: |
Peter Maydell |
|
Subject: |
Re: [Qemu-devel] Signed pull requests (was: Re: [PULL 00/11] Trivial patches for 2014-01-16) |
|
Date: |
Thu, 30 Jan 2014 22:01:33 +0000 |
On 30 January 2014 21:45, Stefan Weil <address@hidden> wrote:
> Am 30.01.2014 15:33, schrieb Peter Maydell:
>> On 16 January 2014 17:35, Michael Tokarev <address@hidden> wrote:
>>> There's nothing exciting in there, but we have some small bugfixes here and
>>> there, and a few cosmetic changes too.
>>>
>>> This is my first signed pull request too, based on my regular GnuPG key
>>> which
>>> I use to sign Debian packages.
>>>
>>> Please pull.
>> Thanks, applied. You'll see that gpg is a bit alarmist in
>> the merge commit message because we don't have a strong enough
>> web of trust between us yet (see also commit 4cddc7f44 for
>> earlier instances of that in our history).
> Never mind. Up to now, only Andreas' and Michael's signatures were
> checked by gpg, and neither of these two were trusted. :-)
We're also still accepting unsigned pull requests at the moment.
(I guess that moving to "all pull requests are signed even if the
key isn't trusted" is probably a useful step forward in getting
everybody's workflow set up right.)
> If you look for the output of "git log | grep gpg:", you'll see that in
> the remaining 68 cases, gpg did not find the public keys (which normally
> are available from public key servers).
Yes. I could have deleted mjt's untrusted key from my keyring
to produce the other error message; I didn't think that was worth
the effort :-)
The handful of people whose keys I signed after KVM Forum
last year will find the git commit message looks prettier.
(I'd have made a greater effort to sign more keys if I'd known
at the time I was going to be a committer.)
> My own signature should also be available from public key servers, and
> it is also signed by CAcert. We can exchange more information via
> private e-mail if needed for the web of trust.
If anybody wants to suggest guidelines for what we should
consider a "trusted" key [and whatever the gpg config for
that would be], feel free; otherwise since I think
neither Anthony nor I are gpg gurus we're likely to end up
with "whatever gpg does by default" plus the "only sign
keys where you've seen the person and their official photo
ID" type rules from last year's keysigning.
thanks
-- PMM
- [Qemu-devel] [PULL 11/11] vl: Add a blank space between the variable and '=', (continued)
- [Qemu-devel] [PULL 11/11] vl: Add a blank space between the variable and '=', Michael Tokarev, 2014/01/16
- [Qemu-devel] [PULL 09/11] linux-user: fixed recvfrom() addrlen, Michael Tokarev, 2014/01/16
- [Qemu-devel] [PULL 01/11] docs: Fix typo in QMP WAKEUP example, Michael Tokarev, 2014/01/16
- [Qemu-devel] [PULL 05/11] virtio-balloon: don't hardcode config size value, Michael Tokarev, 2014/01/16
- [Qemu-devel] [PULL 06/11] ide: cmd_exec_dev_diagnostic() always set error register to 0x01, Michael Tokarev, 2014/01/16
- Re: [Qemu-devel] [Qemu-trivial] [PULL 00/11] Trivial patches for 2014-01-16, Michael Tokarev, 2014/01/25
- Re: [Qemu-devel] [PULL 00/11] Trivial patches for 2014-01-16, Peter Maydell, 2014/01/30