[pacman-dev] More thought about signature implementation

Dan McGee dpmcgee at gmail.com
Sat Jun 19 09:47:45 EDT 2010

On Fri, Jun 18, 2010 at 11:51 PM, Denis A. Altoé Falqueto
<denisfalqueto at gmail.com> wrote:
> On Sat, Jun 19, 2010 at 1:18 AM, Denis A. Altoé Falqueto
> <denisfalqueto at gmail.com> wrote:
>> On Sat, Jun 19, 2010 at 12:08 AM, Allan McRae <allan at archlinux.org> wrote:
>>> On 19/06/10 03:45, Denis A. Altoé Falqueto wrote:
>>> The signatures are currently placed in the repo-db.   So only the repo db
>>> needs downloaded and not individual signatures.   If an attacker deletes the
>>> repo database and its signature, that is probably the least of our issues...
>>>    There will be many copies of a recent signed database that we can recover
>>> all the signatures from.
>> Hmm, I see. And it is a good idea, indeed.
>> But I've tested two packages (go-openoffice, 130M, and libxfontcache,
>> 8K) to see how this will affect the final size of the database. The
>> size of the signatures was 543 bytes each. So the size of the package
>> will not affect the size of the signatures. What could affect is the
>> key used, given the hash algorithm is the same. My current key has
>> 2024 bits length The table bellow resume the expected increase for
>> each repository:
>> http://pastebin.com/ppfe5dxw
> I've tested with my local cache. It currently contains 808 packages.
> i've signed them all and tarred without compression and with gzip,
> bzip2 and lzma to see what gives: All the signatures are the same size
> (543 bytes each).
> tar:       1200 K
> tar.gz:     444 K
> tar.bz2    425 K
> tar.xz:      428 K
> Assuming that we'll only store 1/3 of the total size of the
> signatures, the new table gets:
> http://pastebin.com/BNwd1MAf
> The sizes are in KB and the final size of db is the current plus the
> size of the compacted signatures. Looking at that table now, it could
> be feasible, at least for the user. There'll be an increase in
> bandwidth consumption too, because every time someone syncs his
> databases, almost the same signatures are being served...

Honestly you're worried about a non-issue here. The size of the DBs is
fine before and after, and we already serve up 98% of the same info
every time someone downloads a DB; package signatures are not that
different from any other field already there.


More information about the pacman-dev mailing list