Hi Giancarlo On Tue, Jul 28, 2020 at 12:35 PM Giancarlo Razzolini <grazzolini@archlinux.org> wrote:
This could be maintained as a patch on the package, it doesn't necessarily have to be on pacman's code itself. Just so we make this transition as painless as possible to users.
Having a seamless transition to the new technology is definitely a top priority here.
Can't we go with a different option here? Instead of an option the user sets on their end, we make pacman fallback to embedded db sigs, if there are no detached *or* if the signature check fails for some reason.
The detached signatures are generated by makepkg toolset since a long time ago. *.sig files are already in the Arch standard repository. I also looked through a dozen of random repos at https://wiki.archlinux.org/index.php/Unofficial_user_repositories and all of them have *.sig files for the packages. At this point we are trying to enable the detached signatures handling at the client side while having a backup option to disable it. Let me know about a specific situation when detached signatures cause an issue.