[pacman-dev] Finishing off the package signing issue -- call for contributors
Denis A. Altoé Falqueto
denisfalqueto at gmail.com
Mon May 23 13:11:40 EDT 2011
On Sat, May 21, 2011 at 7:41 PM, Allan McRae <allan at archlinux.org> wrote:
> On 22/05/11 07:33, Kerrick Staley wrote:
>>
>> If it
>> is necessary to attach an Arch-specific patch to Arch's GPGME package,
>> then
>> that can be done.
>
> I'll point out that this can not be done due to Arch's patching policy.
> Arch does not patch software for features not provided upstream, so any
> patch will be required to go to the gpgme and be accepted before it is even
> considered for the Arch package.
>
> I would also suspect, that patches for pacman that rely on unreleased
> changes to gpgme would not be accepted, so we would then need to wait on a
> new gpgme release...
It's funny as I was thinking about that same issue for the last days.
Another workaround would be to call directly gpg with the option
--lock-never, so it will not try to lock the keyring before the
operation. What gpgme does is exactly that, but under the hood. Yes,
it is more cumbersome than just using gpgme.
About the lacking of a proper locking, it is not very different of
what is already done with pacman itself. There's a lock for writing
operations (/var/lib/pacman/db.lck) but it is not used for read-only
operations. We just need to be sure to use it only for checking the
signatures.
By the way, maybe I'll not reply for the next days, because I'll be
without internet connection. But I'm interested in helping too.
--
A: Because it obfuscates the reading.
Q: Why is top posting so bad?
-------------------------------------------
Denis A. Altoe Falqueto
Linux user #524555
-------------------------------------------
More information about the pacman-dev
mailing list