On 08/28/20 at 02:37pm, Allan McRae wrote:
On 27/8/20 10:26 am, Anatol Pomozov wrote:
Hi
On Mon, Aug 10, 2020 at 2:45 PM Eli Schwartz <eschwartz@archlinux.org> wrote:
This is the right approach, yeah. I was thinking we'd wait until pacman 6.1 before stopping the signature embedding, to provide a transition period for people depending on SigLevel = Required (which should be everyone, and certainly includes Arch!) to upgrade to 6.x before repo-add starts generating databases useless to pacman 5.x
There are 2 sets of changes that need to be done: 1) make pacman to use detached signatures instead of embedded ones 2) change "repo-add" to avoid adding embedded signatures
We should release changes for #1 first, test it, make sure that detached signatures fully work (while dbs still have pacman 5.x-compatible embedded sigs). And only then release #2 to get smaller databases compatible with pacman version >= 6.0.
I was thinking #1 can be released with 6.0 and #2 with 6.1.
I was thinking #2 would be an option to repo-add. I'm looking at making signature embedding only occur with the "--add-signatures" option (or whatever I decide to call it). Arch would need to patch devtools to use this option. They would then make a News announcement about the need to have pacman-6.0 installed after 3-6 months and stop repo-add including signatures.
However, I think pacman should always use the signatures in the database if they are present. Particularly if they are not embedded by default.
So to actually test the detached signature path, I am thinking it best to tag 6.0.0beta1, make a package from that tag with a patch to enable using detached signatures as a priority. While that is not an ideal approach to testing, I think the current code path is well tested, and this should be a reasonably trivial patch.
We should implement FS#33091. Instead of adding an option to disable detached signatures, add one to disable embedded signatures. This gives anybody that wants to help test a way to do so without forcing it on people and provides a useful feature for any repos that continue providing embedded signatures. I don't even know that we'd need a beta release because the new behavior would be opt-in and could be disabled at any time.