Am 16.09.2012 08:34, schrieb Jan Steffens:
On Sun, Sep 16, 2012 at 7:59 AM, Gaetan Bisson <bisson@archlinux.org> wrote:
Do we really need remote signing for the DB, given that each of us already downloads the DB when upgrading, most likely several times a day? I do not think downloading it a couple more times when pushing packages will change much. Then I see no need to trust the server: I download the current DB and its signature, check it (it's by Florian P, and of course I trust him), apply my changes, sign and upload back.
I want avoid anything that requires me to upload the DB from my computer. Reason: http://www.speedtest.net/result/2173792066.png That would be over 7MB I would have to download and upload for every operation on the [extra] repo.
Exactly, this is not an option. Also remember that we need to lock the db during that time so nobody else can modify it. Transactions are also way harder to handle; what if the upload fails etc.. Si imho both, remote signing and re-uploading the db files are a no go. Greetings, Pierre -- Pierre Schmitz, https://pierre-schmitz.com