On 11 March 2014 12:22, Michael S. Tsirkin <m...@redhat.com> wrote: > But a chain of trust can still be established. > A bunch of people signed my key: > http://pgp.mit.edu/pks/lookup?op=vindex&search=0xC3503912AFBE8E67 > maybe you trust some of these keys?
If we want to (a) collectively decide what we're going to count as sufficient trust [eg "any three other core developers" or whatever the usual metric is and (b) somebody wants to tell me how to configure gpg to do that, that's fine with me. At the moment I'm just using gpg's out-of-the-box config, which seems to mean "only trust keys directly signed". > I'm just saying that it's not nice to ignore warnings as a general > policy. If they are benign I think it's better to find a way to > suppress them. The way to suppress them in this case is to (a) figure out how much trust we want to place in indirect chains between pull-appliers and senders and (b) have more key signings... thanks -- PMM
