Hi On Wed, Jul 8, 2020 at 8:22 PM Allan McRae via arch-dev-public <arch-dev-public@archlinux.org> wrote:
On 9/7/20 1:05 pm, Anatol Pomozov wrote:
Given this information I would like to propose to stop using embedded signatures and move to detached signatures by default. This will require pacman 6.x or as alternative backport the fix(es) to 5.x branch. It will help to make system updates even faster, something that me and many other Arch users really love.
There are several steps we need to complete:
1) backport the patch (or wait for pacman-6.0, which may be a while yet). I'll leave that to the distro packagers to decide!
2) adjust repo-add to optionally add signatures.
3) make a time line that all users need to have the patched/released pacman installed - we usually require at least 6 months.
4) turn off signature inclusion in repo dbs.
It sounds great. If we go this route for pacman 6.0 then it will take about 1 year to switch to the detached signatures. As it is quite an important change I would love to see its codepath tested as much as possible before we remove the embedded signatures from pacman database files. It will help to catch issues like https://bugs.archlinux.org/task/67232. What do you think about starting to use detached signatures by default *and* having embedded signatures as a backup option for time being? i.e. pacman database will have the signatures (the same as now) but it will be ignored. Instead pacman will use the detached *.sig files. And in case if there is a major issue with this implementation then a user would be able to switch back to embedded signatures using a pacman.conf option (e.g. "UseEmbeddedSignatures"). If folks are fine with it I can implement a patch for it.