The mail by IgnorantGuru is very much what I was going to write. There is no problem in adding signatures to the Arch repositories immediately. You always say that pacman is not the same as Arch. This might be true, but which major distribution uses pacman? We should not argue about those subtile differences. I pulled the main pacman branch, merged Allan's gpg-patches and created a signed repository - everything worked fine (Except for example overwriting the db with a unverified one before verifing - I can provide patches for this in one week). You always say that you need patches, but what exactly? You seem to have a working implementation but you don't integrate these into master. Instead you work on minor performance issues (Single file database for example) even though we have a very serious security problem. Regards Daniel