[pacman-dev] More thought about signature implementation
Allan McRae
allan at archlinux.org
Sat Jun 19 00:40:50 EDT 2010
On 19/06/10 14:18, Denis A. Altoé Falqueto wrote:
> On Sat, Jun 19, 2010 at 12:08 AM, Allan McRae<allan at archlinux.org> wrote:
>> On 19/06/10 03:45, Denis A. Altoé Falqueto wrote:
>> The signatures are currently placed in the repo-db. So only the repo db
>> needs downloaded and not individual signatures. If an attacker deletes the
>> repo database and its signature, that is probably the least of our issues...
>> There will be many copies of a recent signed database that we can recover
>> all the signatures from.
>
> Hmm, I see. And it is a good idea, indeed.
>
> But I've tested two packages (go-openoffice, 130M, and libxfontcache,
> 8K) to see how this will affect the final size of the database. The
> size of the signatures was 543 bytes each. So the size of the package
> will not affect the size of the signatures. What could affect is the
> key used, given the hash algorithm is the same. My current key has
> 2024 bits length The table bellow resume the expected increase for
> each repository:
>
> http://pastebin.com/ppfe5dxw
>
> Maybe that is acceptable, maybe not. Thinking about it a little, I
> would not be very glad of having to download almost the same
> signatures (the ones that didn't change) every time I run pacman -Sy.
It looks like you just too 543 bytes and multiplied it by the number of
packages. Can we have compressed numbers? You could test this by
making a repo db out of all the packages in your pacman cache using the
current repo-add. Then sign all those packages and make a repo db with
all those signatures using the gpg branch repo-add.
With the next pacman major release, we can switch to .xz compression for
the database which gives up a 30% size decrease to work with.
Allan
More information about the pacman-dev
mailing list