[arch-dev-public] Use detached package signatures by default

Anatol Pomozov anatol.pomozov at gmail.com
Tue Jul 28 19:26:52 UTC 2020


On Wed, Jul 8, 2020 at 8:22 PM Allan McRae via arch-dev-public
<arch-dev-public at archlinux.org> wrote:
> On 9/7/20 1:05 pm, Anatol Pomozov wrote:
> > Given this information I would like to propose to stop using embedded
> > signatures and move to detached signatures by default. This will
> > require pacman 6.x or as alternative backport the fix(es) to 5.x
> > branch. It will help to make system updates even faster, something
> > that me and many other Arch users really love.
> There are several steps we need to complete:
> 1) backport the patch (or wait for pacman-6.0, which may be a while
> yet).  I'll leave that to the distro packagers to decide!
> 2) adjust repo-add to optionally add signatures.
> 3) make a time line that all users need to have the patched/released
> pacman installed - we usually require at least 6 months.
> 4) turn off signature inclusion in repo dbs.

It sounds great. If we go this route for pacman 6.0 then it will take
about 1 year to switch to the detached signatures.

As it is quite an important change I would love to see its codepath
tested as much as possible before we remove the embedded signatures
from pacman database files. It will help to catch issues like

What do you think about starting to use detached signatures by default
*and* having embedded signatures as a backup option for time being?
i.e. pacman database will have the signatures (the same as now) but it
will be ignored. Instead pacman will use the detached *.sig files. And
in case if there is a major issue with this implementation then a user
would be able to switch back to embedded signatures using a
pacman.conf option (e.g. "UseEmbeddedSignatures"). If folks are fine
with it I can implement a patch for it.

More information about the arch-dev-public mailing list