[pacman-dev] More thought about signature implementation

Allan McRae allan at archlinux.org
Sat Jun 19 00:40:50 EDT 2010

On 19/06/10 14:18, Denis A. Altoé Falqueto wrote:
> On Sat, Jun 19, 2010 at 12:08 AM, Allan McRae<allan at archlinux.org>  wrote:
>> On 19/06/10 03:45, Denis A. Altoé Falqueto wrote:
>> The signatures are currently placed in the repo-db.   So only the repo db
>> needs downloaded and not individual signatures.   If an attacker deletes the
>> repo database and its signature, that is probably the least of our issues...
>>     There will be many copies of a recent signed database that we can recover
>> all the signatures from.
> Hmm, I see. And it is a good idea, indeed.
> But I've tested two packages (go-openoffice, 130M, and libxfontcache,
> 8K) to see how this will affect the final size of the database. The
> size of the signatures was 543 bytes each. So the size of the package
> will not affect the size of the signatures. What could affect is the
> key used, given the hash algorithm is the same. My current key has
> 2024 bits length The table bellow resume the expected increase for
> each repository:
> http://pastebin.com/ppfe5dxw
> Maybe that is acceptable, maybe not. Thinking about it a little, I
> would not be very glad of having to download almost the same
> signatures (the ones that didn't change) every time I run pacman -Sy.

It looks like you just too 543 bytes and multiplied it by the number of 
packages.  Can we have compressed numbers?   You could test this by 
making a repo db out of all the packages in your pacman cache using the 
current repo-add.  Then sign all those packages and make a repo db with 
all those signatures using the gpg branch repo-add.

With the next pacman major release, we can switch to .xz compression for 
the database which gives up a 30% size decrease to work with.


More information about the pacman-dev mailing list