[arch-dev-public] Use detached package signatures by default

[Anatol Pomozov]

Hi

On Wed, Jul 8, 2020 at 8:22 PM Allan McRae via arch-dev-public
<arch-dev-public at archlinux.org> wrote:
>
> On 9/7/20 1:05 pm, Anatol Pomozov wrote:
> > Given this information I would like to propose to stop using embedded
> > signatures and move to detached signatures by default. This will
> > require pacman 6.x or as alternative backport the fix(es) to 5.x
> > branch. It will help to make system updates even faster, something
> > that me and many other Arch users really love.
>
> There are several steps we need to complete:
>
> 1) backport the patch (or wait for pacman-6.0, which may be a while
> yet).  I'll leave that to the distro packagers to decide!
>
> 2) adjust repo-add to optionally add signatures.
>
> 3) make a time line that all users need to have the patched/released
> pacman installed - we usually require at least 6 months.
>
> 4) turn off signature inclusion in repo dbs.

It sounds great. If we go this route for pacman 6.0 then it will take
about 1 year to switch to the detached signatures.

As it is quite an important change I would love to see its codepath
tested as much as possible before we remove the embedded signatures
from pacman database files. It will help to catch issues like
https://bugs.archlinux.org/task/67232.

What do you think about starting to use detached signatures by default
*and* having embedded signatures as a backup option for time being?
i.e. pacman database will have the signatures (the same as now) but it
will be ignored. Instead pacman will use the detached *.sig files. And
in case if there is a major issue with this implementation then a user
would be able to switch back to embedded signatures using a
pacman.conf option (e.g. "UseEmbeddedSignatures"). If folks are fine
with it I can implement a patch for it.