[arch-dev-public] Use detached package signatures by default
anatol.pomozov at gmail.com
Mon Aug 10 17:18:45 UTC 2020
On Tue, Jul 28, 2020 at 12:35 PM Giancarlo Razzolini
<grazzolini at archlinux.org> wrote:
> This could be maintained as a patch on the package, it doesn't necessarily have to be
> on pacman's code itself. Just so we make this transition as painless as possible to users.
Having a seamless transition to the new technology is definitely a top
> Can't we go with a different option here? Instead of an option the user sets
> on their end, we make pacman fallback to embedded db sigs, if there are no detached
> *or* if the signature check fails for some reason.
The detached signatures are generated by makepkg toolset since a long
time ago. *.sig files are already in the Arch standard repository. I
also looked through a dozen of random repos at
all of them have *.sig files for the packages.
At this point we are trying to enable the detached signatures handling
at the client side while having a backup option to disable it.
Let me know about a specific situation when detached signatures cause an issue.
More information about the arch-dev-public