[pacman-dev] [ Package Signing ] Your signature please

[Daniel Mendler]

Hi Allan

> I will repeat myself again...  Patches for pacman do bugger all for
> getting signatures into Arch Linux repos.   Patches for the Arch Linux
> devtools/db-scripts packages are needed.

Well, Pierre says the same for pacman. Someone has to take the first
initiative here.

> And I will once again point to the package signing TODO page for a list
> of what we need to do at a minimum before this becomes integrated in the
> main pacman branch:
> https://wiki.archlinux.org/index.php/User:Allan/Package_Signing
> As with all feature branches, they integrated into master when they are
> finished.  Otherwise we can not make a release without actually getting
> it fully completed or backing out the unfinished work.  Given the rate
> this has been developed, the second seems the likely outcome.

I understand that it should be finished before it is merged. What is
missing is a strong statement from the development team that they want
signatures asap. I think there are enough people who are willing to
provide patches (me included) if you show real interest in package signing.

> Finally, "minor" performance issues interest me a hell of a lot more
> than package signing.  Mainly because that actually affects me whereas
> unsigned packages really does not...  That is why I spent my free time
> implementing them.  Thinking about it, improving optdepends handling,
> transaction hooks, VCS support in makepkg, adding a test suite for
> makepkg, automatic creation of debug packages, ....  all affect me more
> than package signing does, so I maybe will start work on package signing
> again once those are finished.

You really have to rethink your priority list here. Those attacks on
package managers are known for a long time and the package signing point
has come up very often on the pacman mailing list. So there are people
who are concerned about it.

Daniel