[pacman-dev] [PATCH] Disable embedded signatures by default

Allan McRae allan at archlinux.org
Tue Aug 11 13:24:49 UTC 2020


On 11/8/20 7:44 am, Eli Schwartz wrote:
> On 8/10/20 5:34 PM, Anatol Pomozov wrote:
>> Switching from embedded to detached signatures is a big change. This
>> feature needs to be thoroughly tested before embedded signatures will be
>> completely removed from the database.
>>
>> To help with detached signatures testing we enable it by default. But in
>> case if an user needs to go back to embedded signatures we add a config
>> option to reenable it - "UseEmbeddedSignatures".
> What is the purpose of this? Either signature source should be
> equivalent, and you should be able to trivially test this by creating a
> repo with unsigned packages, then bulk-signing the packages after they
> were repo-added. I don't believe that pacman should include such an
> end-user option purely to double-check whether a current feature
> actually works.

Agreed - the user should not care where the signatures come from, so
this option should not exist.

Also, I see this was proposed on arch-dev-public first.  I am not
subscribed there, and decisions on what is included in pacman are not
dictated by Arch Linux.  Proposals should be posted here.


Now, thinking out loud here...  Would an alternative be to add an
"--embed-signatures" option to repo-add?  So two versions of a repo
could be created and those that want to test without embedded signatures
can.

Allan


More information about the pacman-dev mailing list