[pacman-dev] Multiple/Shared Architectures

Teran McKinney sega01 at gmail.com
Mon Sep 29 07:19:21 EDT 2008


On Mon, Sep 29, 2008 at 00:14, Dan McGee <dpmcgee at gmail.com> wrote:
> On Sat, Sep 27, 2008 at 3:03 PM, Teran McKinney <sega01 at gmail.com> wrote:
>> PS: I think that the stock makepkg should default to arch=(any) if
>> $arch is not set. I do this in Icadyptes, and it is a very safe (to my
>> knowledge) and easy hack. Has there been any discussion or patches
>> regarding PGP signed database files?
>
> http://bugs.archlinux.org/task/5331

Glad that others are interested in this too. I would definitely vote
for a signature by database method, by package is very complex and
large.

gpg --verify repo.db is very insecure, it allows any valid key in the
user's database to be used when signing the package. If they have
automatic key fetching enabled, it gets even worse. I would have
seperate keys for each repo and sign accordingly. A shell script
implementation of this is quite simple, but a proper C implementation
might not be too bad either (especially if you don't hook into any
libraries and just go by command exit status).

> There is support for arch=(any) already,
> and it does not require any new repositories
> (when using the scheme with symlinks/hardlinks).
> You can search pacman-dev and archlinux-public archives for more.
> AFAIR devtools/aurtools & dbscripts still need to be modified
> to start using this feature.

I am aware of arch=(any), but IMO, it is redundant and somewhat
wasteful to be forced to set it, since arch=(any) as a genuine usage
is so common. A symlink system is very messy and impractical, but it
would probably work. I did not realize that the libalpm-side
restrictions of architecture settings were removed, so this should
make things easier.

Thanks,
Teran (sega01)



More information about the pacman-dev mailing list