Hi Allan
I will repeat myself again... Patches for pacman do bugger all for getting signatures into Arch Linux repos. Patches for the Arch Linux devtools/db-scripts packages are needed.
Well, Pierre says the same for pacman. Someone has to take the first initiative here.
And I will once again point to the package signing TODO page for a list of what we need to do at a minimum before this becomes integrated in the main pacman branch: https://wiki.archlinux.org/index.php/User:Allan/Package_Signing As with all feature branches, they integrated into master when they are finished. Otherwise we can not make a release without actually getting it fully completed or backing out the unfinished work. Given the rate this has been developed, the second seems the likely outcome.
I understand that it should be finished before it is merged. What is missing is a strong statement from the development team that they want signatures asap. I think there are enough people who are willing to provide patches (me included) if you show real interest in package signing.
Finally, "minor" performance issues interest me a hell of a lot more than package signing. Mainly because that actually affects me whereas unsigned packages really does not... That is why I spent my free time implementing them. Thinking about it, improving optdepends handling, transaction hooks, VCS support in makepkg, adding a test suite for makepkg, automatic creation of debug packages, .... all affect me more than package signing does, so I maybe will start work on package signing again once those are finished.
You really have to rethink your priority list here. Those attacks on package managers are known for a long time and the package signing point has come up very often on the pacman mailing list. So there are people who are concerned about it. Daniel