[pacman-dev] Signature within repo databases?
Jens Adam
jra at byte.cx
Wed Jul 22 02:58:07 UTC 2015
Wed, 22 Jul 2015 11:54:22 +1000
Allan McRae <allan at archlinux.org>:
> I searched the archives, but I can not find why we stored the package
> PGP signatures base64'd in the repo database rather than downloading
> them as needed. Signatures are responsible for ~55% of the Arch repo
> database size, so I am guessing there must have been a tradeoff.
>
> Can anyone provide insight to this? It was 2008...
While I don't code anything, I'm an Archer since at least 2006 and
had some time to kill, so here are some historic threads I found
interesting/relevant:
https://lists.archlinux.org/pipermail/pacman-dev/2008-December/007830.html
> So do we download the signature file along with the package? Or use
> %PGPSIG% in the db?
No answer.
https://lists.archlinux.org/pipermail/pacman-dev/2010-November/012014.html
"Status of package signing work"
https://lists.archlinux.org/pipermail/pacman-dev/2011-February/012410.html
"pacman signing security vulnerabilities"
--byte
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 455 bytes
Desc: Digitale Signatur von OpenPGP
URL: <https://lists.archlinux.org/pipermail/pacman-dev/attachments/20150722/eb624e32/attachment.asc>
More information about the pacman-dev
mailing list