Hi; for a while now we've been slowly switching over to signed pull requests for merging code into qemu master. The current situation is that we would prefer signed tagged pull requests but are still accepting old ones, and many submaintainers are now using signed requests routinely. I'd like to move that forward a notch by strongly encouraging those of you still submitting old style pull requests to start using gpg signed requests instead. (I've cc'd people who've recently sent me a non-signed pull request.)
This isn't a huge difference from existing workflow; you need to create a gpg key if you don't already have one, and then use "git tag -s" to create a signed tag for the commits you want merged, and then use the tagname in the 'git request-pull' command instead of the branchname. https://www.kernel.org/pub/software/scm/git/docs/howto/using-signed-tag-in-pull-request.html has a reasonable summary. Feel free to ask for advice if you're having difficulty figuring out if you're doing it right. There's no obligation yet for me to have signed your key or have a trust path to it (and I appreciate that it's geographically or logistically tricky in some cases). However I would in general like to do so where possible. I expect that we'll organise a key-signing party at KVM Forum again (Dusseldorf, Oct 14-16). I'm also going to be at Linaro Connect (Sep 15-19, Burlingame, California) so if any submaintainers are too then drop me a mail. thanks -- PMM
