[pacman-dev] [ Package Signing ] Your signature please
mail at daniel-mendler.de
Sat Feb 19 07:55:45 EST 2011
> I will repeat myself again... Patches for pacman do bugger all for
> getting signatures into Arch Linux repos. Patches for the Arch Linux
> devtools/db-scripts packages are needed.
Well, Pierre says the same for pacman. Someone has to take the first
> And I will once again point to the package signing TODO page for a list
> of what we need to do at a minimum before this becomes integrated in the
> main pacman branch:
> As with all feature branches, they integrated into master when they are
> finished. Otherwise we can not make a release without actually getting
> it fully completed or backing out the unfinished work. Given the rate
> this has been developed, the second seems the likely outcome.
I understand that it should be finished before it is merged. What is
missing is a strong statement from the development team that they want
signatures asap. I think there are enough people who are willing to
provide patches (me included) if you show real interest in package signing.
> Finally, "minor" performance issues interest me a hell of a lot more
> than package signing. Mainly because that actually affects me whereas
> unsigned packages really does not... That is why I spent my free time
> implementing them. Thinking about it, improving optdepends handling,
> transaction hooks, VCS support in makepkg, adding a test suite for
> makepkg, automatic creation of debug packages, .... all affect me more
> than package signing does, so I maybe will start work on package signing
> again once those are finished.
You really have to rethink your priority list here. Those attacks on
package managers are known for a long time and the package signing point
has come up very often on the pacman mailing list. So there are people
who are concerned about it.
More information about the pacman-dev