[pacman-dev] [ Package Signing ] Your signature please
Allan McRae
allan at archlinux.org
Sat Feb 19 02:35:21 EST 2011
On 19/02/11 15:18, Daniel Mendler wrote:
> The mail by IgnorantGuru is very much what I was going to write. There
> is no problem in adding signatures to the Arch repositories immediately.
>
> You always say that pacman is not the same as Arch. This might be true,
> but which major distribution uses pacman? We should not argue about
> those subtile differences.
>
> I pulled the main pacman branch, merged Allan's gpg-patches and created
> a signed repository - everything worked fine (Except for example
> overwriting the db with a unverified one before verifing - I can provide
> patches for this in one week). You always say that you need patches, but
> what exactly? You seem to have a working implementation but you don't
> integrate these into master. Instead you work on minor performance
> issues (Single file database for example) even though we have a very
> serious security problem.
I will repeat myself again... Patches for pacman do bugger all for
getting signatures into Arch Linux repos. Patches for the Arch Linux
devtools/db-scripts packages are needed.
And I will once again point to the package signing TODO page for a list
of what we need to do at a minimum before this becomes integrated in the
main pacman branch:
https://wiki.archlinux.org/index.php/User:Allan/Package_Signing
As with all feature branches, they integrated into master when they are
finished. Otherwise we can not make a release without actually getting
it fully completed or backing out the unfinished work. Given the rate
this has been developed, the second seems the likely outcome.
Finally, "minor" performance issues interest me a hell of a lot more
than package signing. Mainly because that actually affects me whereas
unsigned packages really does not... That is why I spent my free time
implementing them. Thinking about it, improving optdepends handling,
transaction hooks, VCS support in makepkg, adding a test suite for
makepkg, automatic creation of debug packages, .... all affect me more
than package signing does, so I maybe will start work on package signing
again once those are finished.
Allan
More information about the pacman-dev
mailing list