[arch-dev-public] [dbscripts] [PATCH] Add signature files to update/move/remove targets

Allan McRae allan at archlinux.org
Fri Apr 1 17:52:52 EDT 2011

On 02/04/11 06:45, Pierre Schmitz wrote:
> On Fri, 1 Apr 2011 15:10:36 -0500, Dan McGee wrote:
>> On Fri, Apr 1, 2011 at 2:58 PM, Pierre Schmitz<pierre at archlinux.de>  wrote:
>>> On Fri, 1 Apr 2011 21:54:30 +0200, Rémy Oudompheng wrote:
>>>> In my current understanding:
>>>> * package pool holds packages and their signature files, and serves as
>>>> the basis for generating databases
>>>> * repo directories ($repo/os/$arch) contain symlinks to packages,
>>>> databases which are generated by repo-add, and the signature file for
>>>> the database.
>>> The package's signatures are kept within the db file. The only separate
>>> .sig file that will be visible in the repos is the one for the db file
>>> itself.
>> No, that is not the intention. We put them in the database as well so
>> you do not have to download each and every .sig file individually, but
>> they have always been intended to be freely available and sitting
>> there as well. It would be quite silly to hide these files away if we
>> have them.
>> For that matter, repo-add doesn't add them *unless* they are sitting
>> next to the package.
> Thanks for clarifying.
> Back to the patch: I'll need to have more check for the .sig files and
> at least a simple test case will be needed.

Just to add another reason to keep the .sig file beside the package, 
pacman -U http://package/from/mirror.pkg.tar.gz will try and download 
the signature file and verify it too.


More information about the arch-dev-public mailing list