Hi guys. One more of those long boring emails... sorry. See this situation: let's say we sign packages and the repo.db and the signatures are all dettached, in the same directory as their corresponding files. If some cracker breaks into the machine and deletes the signatures, pacman will not be able to know if the packages and repo.db were signed or not. So, it would be necessary to have some way to indicate that a repository is signed or not and this information must be kept in such a way that an intruder can't change. Another factor to consider is that the signature verification should be optional for each system. I mean, if a user doesn't care about signatures, he should be able to say "pacman, I can't care less about signatures, please". So, I believe that the best place for such information should be in the pacman.conf file, in each repository section. Maybe one cares about signature in one repository but not for another. And we would spread the attack surface for the entire user base, instead of concentrating it only on the server or mirrors. For the repository update, it would be like this: 1. for each repository 1.1. download the repo.db 1.2. if it is signed 1.2.1. download the signature 1.2.2. check the signature 1.3. extract the db to its right place, as today For the package verification, it would be like this: 1. downloads the package 2. if the signature is enabled for the repository 2.1. if the package is signed (this information must come from repo.db) 2.1.1. download the signature for the package 2.1.2. checks the signature For installation of local packages, I am not very worried about signatures. It could be optional, indicated via parameter. Well, I think that to store the new information, we'll have to break the ABI, isn't it? Sorry to say this just a few days after the new release... Maybe we could have put some new fields to future use. -- A: Because it obfuscates the reading. Q: Why is top posting so bad? ------------------------------------------- Denis A. Altoe Falqueto -------------------------------------------