[pacman-dev] [ Package Signing ] Your signature please

Allan McRae allan at archlinux.org
Sat Feb 19 02:35:21 EST 2011

On 19/02/11 15:18, Daniel Mendler wrote:
> The mail by IgnorantGuru is very much what I was going to write. There
> is no problem in adding signatures to the Arch repositories immediately.
> You always say that pacman is not the same as Arch. This might be true,
> but which major distribution uses pacman? We should not argue about
> those subtile differences.
> I pulled the main pacman branch, merged Allan's gpg-patches and created
> a signed repository - everything worked fine (Except for example
> overwriting the db with a unverified one before verifing - I can provide
> patches for this in one week). You always say that you need patches, but
> what exactly? You seem to have a working implementation but you don't
> integrate these into master. Instead you work on minor performance
> issues (Single file database for example) even though we have a very
> serious security problem.

I will repeat myself again...  Patches for pacman do bugger all for 
getting signatures into Arch Linux repos.   Patches for the Arch Linux 
devtools/db-scripts packages are needed.

And I will once again point to the package signing TODO page for a list 
of what we need to do at a minimum before this becomes integrated in the 
main pacman branch:
As with all feature branches, they integrated into master when they are 
finished.  Otherwise we can not make a release without actually getting 
it fully completed or backing out the unfinished work.  Given the rate 
this has been developed, the second seems the likely outcome.

Finally, "minor" performance issues interest me a hell of a lot more 
than package signing.  Mainly because that actually affects me whereas 
unsigned packages really does not...  That is why I spent my free time 
implementing them.  Thinking about it, improving optdepends handling, 
transaction hooks, VCS support in makepkg, adding a test suite for 
makepkg, automatic creation of debug packages, ....  all affect me more 
than package signing does, so I maybe will start work on package signing 
again once those are finished.


More information about the pacman-dev mailing list