16 Sep
2012
16 Sep
'12
8:34 a.m.
On Sun, Sep 16, 2012 at 7:59 AM, Gaetan Bisson <bisson@archlinux.org> wrote:
Do we really need remote signing for the DB, given that each of us already downloads the DB when upgrading, most likely several times a day? I do not think downloading it a couple more times when pushing packages will change much. Then I see no need to trust the server: I download the current DB and its signature, check it (it's by Florian P, and of course I trust him), apply my changes, sign and upload back.
I want avoid anything that requires me to upload the DB from my computer. Reason: http://www.speedtest.net/result/2173792066.png That would be over 7MB I would have to download and upload for every operation on the [extra] repo.