[pacman-dev] [PATCH] Convert download packages logic to multiplexed API
allan at archlinux.org
Mon Apr 20 11:53:45 UTC 2020
On 19/4/20 1:15 pm, Anatol Pomozov wrote:
>> + /* TOASK: do we need to initiate *.sig file download here? */
> One question with this change is whether we need to download the
> package signatures here.
> It looks like the current codepath does not try to download *.sig
> files. But at other place that fetches packages (alpm_fetch_pkgurl) we
> actually *do* download sig files. So there is inconsistency between
> different download codepaths.
> Also Arch does not use detached *.sig files for the packages. So I am
> not sure what is the current plan regarding package signature files.
Arch does have detached .sig files on its mirrors.
The two download paths currently are:
1) -S <pkg>: this uses the signature from the db
2) -U <url>: this uses a signature if it finds one
There is a bug report, which we have discussed implementing that asks us
to always download signatures. It would be good to add this while you
are working on this area.
This has several advantages. We can verify packages in our cache, even
if they are no longer in the database. And we could drop signatures
from the databases, making them substantially smaller (we added them
when the overhead was lower due to using less secure signing keys).
More information about the pacman-dev