[arch-dev-public] Use detached package signatures by default

Jelle van der Waa jelle at vdwaa.nl
Thu Jul 9 09:04:16 UTC 2020

On 09/07/2020 05:05, Anatol Pomozov via arch-dev-public wrote:
> TLDR; let’s start using detached package signatures to make system
> updates faster.
> Hi folks,
> Some time ago there was a discussion at IRC where someone (Allan
> maybe?) proposed to stop using embedded PGP signatures in favor of
> detached signature files. I would like to bring this idea here and
> quantify it with some numbers.

The downside of not having the package signatures in the database is
that consumers can not easily obtain this information. For archweb
that's showing who signed the package on the package details page.

How would I implement an efficient alternative without fetching package
files or all the sig files? A separate sig database? :P

As far now I'll have to adjust the code not to break because of a
missing PGPSIG entry.

> Here is a bit of technical details on this topic. Pacman has the
> ability to verify authenticity of package files with PGP signatures.
> PGP signatures add protection against undesired package modifications
> by a third-party and it improves security aspects of the package
> management. This feature can be configured per repository and the
> official Arch Linux repos have it enabled. Package signatures have
> been used by Arch Linux successfully for a couple of years now.


> An alternative to embedded signatures are detached signatures. These
> are signatures stored in a separate file next to the package itself
> (in a <pkg>.sig file to be specific). Instead of downloading *all*
> signatures every time a database is updated, detached signatures are
> downloaded only when a specific package is installed/updated. If Arch
> could switch to this model then database files become 3 times smaller
> that saves users bandwidth and system update time.

It would be insightful to provide the database numbers, because one
could argue 30% of 1MB is nothing, as 30% of 100M is nice improvement.

Our biggest database should be community (5M atm), and with all the
savings that would now be ~ 2 MB? Would be nice to have an overview of
the real life numbers :)


Jelle van der Waa

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-dev-public/attachments/20200709/e0be6a4a/attachment.sig>

More information about the arch-dev-public mailing list