On 11/8/20 7:44 am, Eli Schwartz wrote:
On 8/10/20 5:34 PM, Anatol Pomozov wrote:
Switching from embedded to detached signatures is a big change. This feature needs to be thoroughly tested before embedded signatures will be completely removed from the database.
To help with detached signatures testing we enable it by default. But in case if an user needs to go back to embedded signatures we add a config option to reenable it - "UseEmbeddedSignatures". What is the purpose of this? Either signature source should be equivalent, and you should be able to trivially test this by creating a repo with unsigned packages, then bulk-signing the packages after they were repo-added. I don't believe that pacman should include such an end-user option purely to double-check whether a current feature actually works.
Agreed - the user should not care where the signatures come from, so this option should not exist. Also, I see this was proposed on arch-dev-public first. I am not subscribed there, and decisions on what is included in pacman are not dictated by Arch Linux. Proposals should be posted here. Now, thinking out loud here... Would an alternative be to add an "--embed-signatures" option to repo-add? So two versions of a repo could be created and those that want to test without embedded signatures can. Allan