perhaps i missed something, but wouldn´t be the easiest way to download the db.tar.gz directly from ftp.archlinux.org or another trusted server and the packages from the mirrors? something like a decentralized system.
sorry. i wasn´t very explicit in my previous mail. my idea is this: first there should 2-3 trusted servers in case one fails or is offline. on these servers there should be a db.tar.gz repository with a hold-back time of 5-10 days. the db.tar.gz files should now look like <repo>-$(date).db.tar.gz. everytime a maintainer updates a package and a new db.tar.gz file is created, it goes to this db repository. when a mirror syncs, the latest <repo>-$(date).db.tar.gz is fetched. now when a user updates his/her system, pacman checks the <repo>-$(date).db.tar.gz file on the mirror, fetches this file form the db repository of a trusted server and then downloads the packages from the mirror. pacman compares the package md5sums with the ones in the db.tar.gz file from the trusted server and proceeds as usual. so one can also see if a mirror is corrupted and change the mirror and perhaps contact the maintainer. vlad