[arch-dev-public] Use detached package signatures by default

Giancarlo Razzolini grazzolini at archlinux.org
Tue Jul 28 19:35:19 UTC 2020

Em julho 28, 2020 16:26 Anatol Pomozov via arch-dev-public escreveu:
> It sounds great. If we go this route for pacman 6.0 then it will take
> about 1 year to switch to the detached signatures.
> As it is quite an important change I would love to see its codepath
> tested as much as possible before we remove the embedded signatures
> from pacman database files. It will help to catch issues like
> https://bugs.archlinux.org/task/67232.
> What do you think about starting to use detached signatures by default
> *and* having embedded signatures as a backup option for time being?
> i.e. pacman database will have the signatures (the same as now) but it
> will be ignored. Instead pacman will use the detached *.sig files. And
> in case if there is a major issue with this implementation then a user
> would be able to switch back to embedded signatures using a
> pacman.conf option (e.g. "UseEmbeddedSignatures"). If folks are fine
> with it I can implement a patch for it.

Hi Anatol,

Can't we go with a different option here? Instead of an option the user sets
on their end, we make pacman fallback to embedded db sigs, if there are no detached
*or* if the signature check fails for some reason.

This could be maintained as a patch on the package, it doesn't necessarily have to be
on pacman's code itself. Just so we make this transition as painless as possible to users.

Giancarlo Razzolini
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-dev-public/attachments/20200728/c7025e75/attachment.sig>

More information about the arch-dev-public mailing list