From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:40018)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mst@redhat.com>) id 1WNLFY-0007eg-42
	for qemu-devel@nongnu.org; Tue, 11 Mar 2014 07:53:42 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <mst@redhat.com>) id 1WNLFR-0001UJ-GG
	for qemu-devel@nongnu.org; Tue, 11 Mar 2014 07:53:35 -0400
Received: from mx1.redhat.com ([209.132.183.28]:1642)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mst@redhat.com>) id 1WNLCK-0000jW-6h
	for qemu-devel@nongnu.org; Tue, 11 Mar 2014 07:50:16 -0400
Date: Tue, 11 Mar 2014 13:49:15 +0200
From: "Michael S. Tsirkin" <mst@redhat.com>
Message-ID: <20140311114915.GA30708@redhat.com>
References: <1394392713-31471-1-git-send-email-mst@redhat.com>
	<CAFEAcA8a6=J-xMUOvs4w8xnjJfp00BA73yAmJo-+HRe5tfNE6A@mail.gmail.com>
	<20140310190515.GA16291@redhat.com>
	<CAFEAcA_nPhmgxZmQQ5PSG2vc3g3QtSczNArDP2qwiG=f4zn3sQ@mail.gmail.com>
	<20140311112242.GA17666@redhat.com>
	<CAFEAcA-MrspL9CFq4Thjqd8=aYQRJUq+f7GR08FjN3DxqKbZ2w@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAFEAcA-MrspL9CFq4Thjqd8=aYQRJUq+f7GR08FjN3DxqKbZ2w@mail.gmail.com>
Subject: Re: [Qemu-devel] [PULL v3 00/14] acpi, pc, pci, virtio,
	memory bug fixes
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Peter Maydell <peter.maydell@linaro.org>
Cc: QEMU Developers <qemu-devel@nongnu.org>, Anthony Liguori <aliguori@amazon.com>

On Tue, Mar 11, 2014 at 11:32:41AM +0000, Peter Maydell wrote:
> On 11 March 2014 11:22, Michael S. Tsirkin <mst@redhat.com> wrote:
> > BTW I still see these warnings in the logs:
> >     # gpg: WARNING: This key is not certified with a trusted signature!
> >     # gpg:          There is no indication that the signature belongs to
> >     # the
> >
> > These seem counter-productive: people get used
> > to ignoring the warnings.
> > A bunch of people verified my key at the latest KVM forum
> > so how about importing keys from contributors
> > and denying pulls where keys don't match?
> 
> That won't help with removing the warning. What gpg
> is saying here is "I found this key in the keyring,
> and the signature checks out, but there's no chain
> of trust between the person who applied the pull
> and that key". That is, I haven't signed your key.

Okay ... would you like to sign it?
Didn't you go to the key signing party at the forum?
If yes you have all the data :)

> The other kind of warning is:
>     # gpg: Signature made Sat 08 Mar 2014 21:26:01 GMT using RSA key ID 5872D723
>     # gpg: Can't check signature: public key not found
> 
> which means "I didn't find the gpg key in the keyring".
> 
> Genuinely mismatching signatures would be a gpg
> error rather than a mere warning, I think.
> 
> Since we're still accepting unsigned pullrequests
> I don't think this matters too much. In either case
> if somebody really cares later they can attempt to
> establish a chain of trust between themselves and the
> submitter after the fact, I guess.

But the commit log will include the warning forever I think?

> Personally I think the next step we should take would
> be to get all the people currently submitting unsigned
> pull requests to move over to signing them.
> 
> thanks
> -- PMM

I think this was agreed on the forum so you
can start enforcing this straight away if you wish :)

-- 
MST