I have now split this patch into much smaller segments - it is much easier for me to review like this. I have also done some shuffling of where the code is and some variable/function renaming. For example, I moved a lot of the base sandbox functions/callbacks/etc into libalpm/sandbox.{h,c} and named them appropriately, as these should be used in the future to (e.g.) sandbox GPG operations. https://gitlab.archlinux.org/pacman/pacman/-/commits/allan/privsep There were some random changes to progress bar code in the original patch. These probably are needed to prevent the assertions I am getting in testing! Buy if you run with --debug or --noprogressbar, things appear to work! allan@mando /var/lib/pacman $ ls -l /var/lib/pacman/sync/ total 49476 -rw-r--r-- 1 root root 7544407 Nov 8 18:15 community.db -rw-r--r-- 1 alpm alpm 29240777 Nov 9 10:49 community.files -rw-r--r-- 1 root root 162479 Nov 8 08:20 core.db -rw-r--r-- 1 alpm alpm 1042583 Nov 9 09:39 core.files -rw-r--r-- 1 root root 1804717 Nov 8 17:56 extra.db -rw-r--r-- 1 alpm alpm 10861206 Nov 9 09:32 extra.files @Remi: can you check these and make sure you agree with the changes I made. You are listed as the author so all blame will head back to you :D @Andrew (or anyone): the main patch I'd like another set of eyes on is: "Add sandboxed download for the internal downloader". Cheers, Allan