Why can't we do this? 1) Keep hashes of {core,extra,community,multilib}.db in plaintext in keys.archlinux.org or something 2) while syncing pacman compares the hashes of the downloaded dbs from the main server ensuring that the packages are not tampered! -- have a nice day -jck