On 28/12/12 05:27, Magnus Therning wrote:

Do these two features play nice together?

Why wouldn't they?

I believe signatures are checked after packages are rebuilt from deltas. Therefore, if your delta is compromised, the resulting package won't validate with the signature.

On 28 December 2012 11:40, Magnus Therning magnus@therning.org wrote:

On Fri, Dec 28, 2012 at 10:31 AM, Allan McRae allan@archlinux.org wrote:

...

On 28/12/12 05:27, Magnus Therning wrote:

...

Do these two features play nice together?

Why wouldn't they?

No reason beyond that it requires extra code in pacman to make it work. It could be a thing that's easily overlooked.

/M

-- Magnus Therning OpenPGP: 0xAB4DFBA4 email: magnus@therning.org jabber: magnus@therning.org twitter: magthe http://therning.org/magnus

On 31/12/12 05:26, Magnus Therning wrote:

On Fri, Dec 28, 2012 at 10:54:14PM -0500, Sébastien Leblanc wrote:

...

I believe signatures are checked after packages are rebuilt from deltas. Therefore, if your delta is compromised, the resulting package won't validate with the signature.

Excellent. I also notice you use the word "deltas", plural, which leads me to the next question :)

Will deltas be combined by pacman, or will only ever a single delta be used?

They can be combined. pacman does a calculation to see whether the delta chain is worth it.