[pacman-dev] More thought about signature implementation

Denis A. Altoé Falqueto denisfalqueto at gmail.com
Sat Jun 19 00:51:14 EDT 2010


On Sat, Jun 19, 2010 at 1:18 AM, Denis A. Altoé Falqueto
<denisfalqueto at gmail.com> wrote:
> On Sat, Jun 19, 2010 at 12:08 AM, Allan McRae <allan at archlinux.org> wrote:
>> On 19/06/10 03:45, Denis A. Altoé Falqueto wrote:
>> The signatures are currently placed in the repo-db.   So only the repo db
>> needs downloaded and not individual signatures.   If an attacker deletes the
>> repo database and its signature, that is probably the least of our issues...
>>    There will be many copies of a recent signed database that we can recover
>> all the signatures from.
>
> Hmm, I see. And it is a good idea, indeed.
>
> But I've tested two packages (go-openoffice, 130M, and libxfontcache,
> 8K) to see how this will affect the final size of the database. The
> size of the signatures was 543 bytes each. So the size of the package
> will not affect the size of the signatures. What could affect is the
> key used, given the hash algorithm is the same. My current key has
> 2024 bits length The table bellow resume the expected increase for
> each repository:
>
> http://pastebin.com/ppfe5dxw

I've tested with my local cache. It currently contains 808 packages.
i've signed them all and tarred without compression and with gzip,
bzip2 and lzma to see what gives: All the signatures are the same size
(543 bytes each).

tar:       1200 K
tar.gz:     444 K
tar.bz2    425 K
tar.xz:      428 K

Assuming that we'll only store 1/3 of the total size of the
signatures, the new table gets:

http://pastebin.com/BNwd1MAf

The sizes are in KB and the final size of db is the current plus the
size of the compacted signatures. Looking at that table now, it could
be feasible, at least for the user. There'll be an increase in
bandwidth consumption too, because every time someone syncs his
databases, almost the same signatures are being served...

PS: I saw your email while i was writing this, and i'll test makepkg
and repo-add maybe this weekend. Will sure try with my database cache
to see the numbers.

-- 
A: Because it obfuscates the reading.
Q: Why is top posting so bad?

-------------------------------------------
Denis A. Altoe Falqueto
-------------------------------------------


More information about the pacman-dev mailing list