[arch-dev-public] [RFC] Moving repos to nymeria

Xyne xyne at archlinux.ca
Sun Sep 16 19:51:56 EDT 2012

Xyne wrote:

>If they are kept in the database then signing the database file itself may be
>unnecessary. Pacman could verify the integrity of the metadata for each package
>when it downloads the database.

Adding to that idea, pacman currently verifies database signatures each time it
is run. If the metadata sigs were included in the database then pacman could do
the following:

1) check for matching valid sig for each database
2) if no valid sig, check metadata sigs in db
3) if all metadata sigs are valid, sign database with local key, else die

More information about the arch-dev-public mailing list