On Tue, Mar 11, 2014 at 12:09:40PM +0000, Peter Maydell wrote: > On 11 March 2014 11:49, Michael S. Tsirkin <m...@redhat.com> wrote: > > On Tue, Mar 11, 2014 at 11:32:41AM +0000, Peter Maydell wrote: > >> That won't help with removing the warning. What gpg > >> is saying here is "I found this key in the keyring, > >> and the signature checks out, but there's no chain > >> of trust between the person who applied the pull > >> and that key". That is, I haven't signed your key. > > > > Okay ... would you like to sign it? > > Didn't you go to the key signing party at the forum? > > If yes you have all the data :) > > At the forum I only signed keys where the other > person had been sufficiently organised to get their > key onto the pre-printed list Anthony sent out and > were clearly following the instructions. (Basically > I wasn't expecting to be applying other peoples' > pull requests at that time so it seemed sufficient > to do a mutual signing with a reasonable number of > developers.) I can't remember why I put a cross next to > your name at this point, but obviously I can't sign > your key now if I didn't choose to do so then; that > would be breaking the whole point of doing in person > checks.
I was on the list so not sure why, oh well. But a chain of trust can still be established. A bunch of people signed my key: http://pgp.mit.edu/pks/lookup?op=vindex&search=0xC3503912AFBE8E67 maybe you trust some of these keys? > > But the commit log will include the warning forever I think? > > True, but does that matter? > > thanks > -- PMM I'm just saying that it's not nice to ignore warnings as a general policy. If they are benign I think it's better to find a way to suppress them. -- MST
