[pacman-dev] [PATCH] Proposal: Add some kind of user feedback about package signing

Allan McRae allan at archlinux.org
Mon Nov 7 00:16:01 EST 2011 

On 04/11/11 08:11, robert evert wrote:
> Hey,
>
>> I somewhat like the idea
> me too :)
>
> I changed the signed package information to an information about
> _unsigned_ packages, as those should be more interesting. Its a totally
> informative message while installation is taking place.
> Output takes place in the callback.c function. I needed to add another
> int variable to the alpm_pkg_t, as I need to look for signatures in the
> package information AND for a signature file.
>
> If there is any chance that such functionality will be implemented in
> pacman, I could provide some command line option to enable this
> information ( enabling debug is NO alternative... ). Otherwise it was an
> exercise for me and I will stop mentally hurting you guys ;)
>
> -Rob
>
> ~~~~~~~~~~~~~~~~~~
>
> The current output looks like this:
>
> ...
> Proceed with installation? [Y/n]
> checking package integrity...
> loading package files...
> checking for file conflicts...
> upgrading abcde...
> upgrading acpitool |Unsigned...
>
> ...
> Proceed with installation? [Y/n]
> (2/2) checking package integrity
>                   [###################################################] 100%
> (2/2) loading package files
>                   [###################################################] 100%
> (2/2) checking for file conflicts
>                   [###################################################] 100%
> (1/2) upgrading abcde
>                   [###################################################] 100%
> :: The following package is unsigned:
> (2/2) upgrading acpitool
>                   [###################################################] 100%
>


I am not really a fan of this for the following reasons:

1) I am a fan of keeping the output as minimal as possible and this 
falls in the "unnecessary output" category for me.

2) The output comes too late to really do anything about the unsigned 
package.  It is now installed on your system.  So what is this preventing?

3) If you do not want unsigned packages, you can use SigLevel = Required 
to force packages to be signed.

So, in summary, I am not sure what problem this is trying to solve and 
if it does indeed solve it.

Allan

More information about the pacman-dev mailing list