On 19/02/11 15:18, Daniel Mendler wrote:
The mail by IgnorantGuru is very much what I was going to write. There is no problem in adding signatures to the Arch repositories immediately.
You always say that pacman is not the same as Arch. This might be true, but which major distribution uses pacman? We should not argue about those subtile differences.
I pulled the main pacman branch, merged Allan's gpg-patches and created a signed repository - everything worked fine (Except for example overwriting the db with a unverified one before verifing - I can provide patches for this in one week). You always say that you need patches, but what exactly? You seem to have a working implementation but you don't integrate these into master. Instead you work on minor performance issues (Single file database for example) even though we have a very serious security problem.
I will repeat myself again... Patches for pacman do bugger all for getting signatures into Arch Linux repos. Patches for the Arch Linux devtools/db-scripts packages are needed. And I will once again point to the package signing TODO page for a list of what we need to do at a minimum before this becomes integrated in the main pacman branch: https://wiki.archlinux.org/index.php/User:Allan/Package_Signing As with all feature branches, they integrated into master when they are finished. Otherwise we can not make a release without actually getting it fully completed or backing out the unfinished work. Given the rate this has been developed, the second seems the likely outcome. Finally, "minor" performance issues interest me a hell of a lot more than package signing. Mainly because that actually affects me whereas unsigned packages really does not... That is why I spent my free time implementing them. Thinking about it, improving optdepends handling, transaction hooks, VCS support in makepkg, adding a test suite for makepkg, automatic creation of debug packages, .... all affect me more than package signing does, so I maybe will start work on package signing again once those are finished. Allan