On 30 January 2014 21:45, Stefan Weil <[email protected]> wrote: > Am 30.01.2014 15:33, schrieb Peter Maydell: >> On 16 January 2014 17:35, Michael Tokarev <[email protected]> wrote: >>> There's nothing exciting in there, but we have some small bugfixes here and >>> there, and a few cosmetic changes too. >>> >>> This is my first signed pull request too, based on my regular GnuPG key >>> which >>> I use to sign Debian packages. >>> >>> Please pull. >> Thanks, applied. You'll see that gpg is a bit alarmist in >> the merge commit message because we don't have a strong enough >> web of trust between us yet (see also commit 4cddc7f44 for >> earlier instances of that in our history).
> Never mind. Up to now, only Andreas' and Michael's signatures were > checked by gpg, and neither of these two were trusted. :-) We're also still accepting unsigned pull requests at the moment. (I guess that moving to "all pull requests are signed even if the key isn't trusted" is probably a useful step forward in getting everybody's workflow set up right.) > If you look for the output of "git log | grep gpg:", you'll see that in > the remaining 68 cases, gpg did not find the public keys (which normally > are available from public key servers). Yes. I could have deleted mjt's untrusted key from my keyring to produce the other error message; I didn't think that was worth the effort :-) The handful of people whose keys I signed after KVM Forum last year will find the git commit message looks prettier. (I'd have made a greater effort to sign more keys if I'd known at the time I was going to be a committer.) > My own signature should also be available from public key servers, and > it is also signed by CAcert. We can exchange more information via > private e-mail if needed for the web of trust. If anybody wants to suggest guidelines for what we should consider a "trusted" key [and whatever the gpg config for that would be], feel free; otherwise since I think neither Anthony nor I are gpg gurus we're likely to end up with "whatever gpg does by default" plus the "only sign keys where you've seen the person and their official photo ID" type rules from last year's keysigning. thanks -- PMM
