Wed, 22 Jul 2015 11:54:22 +1000 Allan McRae <allan@archlinux.org>:
I searched the archives, but I can not find why we stored the package PGP signatures base64'd in the repo database rather than downloading them as needed. Signatures are responsible for ~55% of the Arch repo database size, so I am guessing there must have been a tradeoff.
Can anyone provide insight to this? It was 2008...
While I don't code anything, I'm an Archer since at least 2006 and had some time to kill, so here are some historic threads I found interesting/relevant: https://lists.archlinux.org/pipermail/pacman-dev/2008-December/007830.html
So do we download the signature file along with the package? Or use %PGPSIG% in the db? No answer.
https://lists.archlinux.org/pipermail/pacman-dev/2010-November/012014.html "Status of package signing work" https://lists.archlinux.org/pipermail/pacman-dev/2011-February/012410.html "pacman signing security vulnerabilities" --byte