Linus Torvalds writes: (Summary)
- I can just check the code
- I can just check the code
- even if you never get your key signed by anybody else, it's still a sort of "identity" in the sense of me getting the pull requests from the same person (or key controlling group)
the same person (or key controlling group)
- you probably *will* get your key signed by somebody else later, and it's all good, and that will show even in the commits before you got the signing done.
the signing done.
It's not like we require that people send emailed patches with pgp signing either.
signing either.
So I require keys for pull requests even if I can't see the full chain of trust simply because of those two last issues: it's still an identity, and one that I expect will eventually be signed.
- I can just check the code
- even if you never get your key signed by anybody else, it's still a sort of "identity" in the sense of me getting the pull requests from the same person (or key controlling group)
the same person (or key controlling group)
- you probably *will* get your key signed by somebody else later, and it's all good, and that will show even in the commits before you got the signing done.
the signing done.
It's not like we require that people send emailed patches with pgp signing either.
signing either.
So I require keys for pull requests even if I can't see the full chain of trust simply because of those two last issues: it's still an identity, and one that I expect will eventually be signed.