[arch-dev-public] Use detached package signatures by default

Anatol Pomozov anatol.pomozov at gmail.com
Mon Aug 10 17:18:45 UTC 2020

Hi Giancarlo

On Tue, Jul 28, 2020 at 12:35 PM Giancarlo Razzolini
<grazzolini at archlinux.org> wrote:
> This could be maintained as a patch on the package, it doesn't necessarily have to be
> on pacman's code itself. Just so we make this transition as painless as possible to users.

Having a seamless transition to the new technology is definitely a top
priority here.

> Can't we go with a different option here? Instead of an option the user sets
> on their end, we make pacman fallback to embedded db sigs, if there are no detached
> *or* if the signature check fails for some reason.

The detached signatures are generated by makepkg toolset since a long
time ago. *.sig files are already in the Arch standard repository. I
also looked through a dozen of random repos at
https://wiki.archlinux.org/index.php/Unofficial_user_repositories and
all of them have *.sig files for the packages.

At this point we are trying to enable the detached signatures handling
at the client side while having a backup option to disable it.

Let me know about a specific situation when detached signatures cause an issue.

More information about the arch-dev-public mailing list