On 19/06/10 14:18, Denis A. AltoƩ Falqueto wrote:
On Sat, Jun 19, 2010 at 12:08 AM, Allan McRae<allan@archlinux.org> wrote:
On 19/06/10 03:45, Denis A. AltoƩ Falqueto wrote: The signatures are currently placed in the repo-db. So only the repo db needs downloaded and not individual signatures. If an attacker deletes the repo database and its signature, that is probably the least of our issues... There will be many copies of a recent signed database that we can recover all the signatures from.
Hmm, I see. And it is a good idea, indeed.
But I've tested two packages (go-openoffice, 130M, and libxfontcache, 8K) to see how this will affect the final size of the database. The size of the signatures was 543 bytes each. So the size of the package will not affect the size of the signatures. What could affect is the key used, given the hash algorithm is the same. My current key has 2024 bits length The table bellow resume the expected increase for each repository:
Maybe that is acceptable, maybe not. Thinking about it a little, I would not be very glad of having to download almost the same signatures (the ones that didn't change) every time I run pacman -Sy.
It looks like you just too 543 bytes and multiplied it by the number of packages. Can we have compressed numbers? You could test this by making a repo db out of all the packages in your pacman cache using the current repo-add. Then sign all those packages and make a repo db with all those signatures using the gpg branch repo-add. With the next pacman major release, we can switch to .xz compression for the database which gives up a 30% size decrease to work with. Allan