[pacman-dev] [PATCH] Disable embedded signatures by default

Eli Schwartz eschwartz at archlinux.org
Tue Aug 11 13:56:22 UTC 2020


On 8/11/20 9:24 AM, Allan McRae wrote:
> On 11/8/20 7:44 am, Eli Schwartz wrote:
>> On 8/10/20 5:34 PM, Anatol Pomozov wrote:
>>> Switching from embedded to detached signatures is a big change. This
>>> feature needs to be thoroughly tested before embedded signatures will be
>>> completely removed from the database.
>>>
>>> To help with detached signatures testing we enable it by default. But in
>>> case if an user needs to go back to embedded signatures we add a config
>>> option to reenable it - "UseEmbeddedSignatures".
>> What is the purpose of this? Either signature source should be
>> equivalent, and you should be able to trivially test this by creating a
>> repo with unsigned packages, then bulk-signing the packages after they
>> were repo-added. I don't believe that pacman should include such an
>> end-user option purely to double-check whether a current feature
>> actually works.
> 
> Agreed - the user should not care where the signatures come from, so
> this option should not exist.
> 
> Also, I see this was proposed on arch-dev-public first.  I am not
> subscribed there, and decisions on what is included in pacman are not
> dictated by Arch Linux.  Proposals should be posted here.

More specifically -- decisions on what is included in pacman are not
dictated by consensus of the Arch Linux team, but by the pacman team
(which is in turn guided, but not dictated, by what is useful for
archlinux).

Making a bad or confusing package manager simply because archlinux wants
it, would be a bad move due to making a bad or confusing package manager.

> Now, thinking out loud here...  Would an alternative be to add an
> "--embed-signatures" option to repo-add?  So two versions of a repo
> could be created and those that want to test without embedded signatures
> can.

This is the right approach, yeah. I was thinking we'd wait until pacman
6.1 before stopping the signature embedding, to provide a transition
period for people depending on SigLevel = Required (which should be
everyone, and certainly includes Arch!) to upgrade to 6.x before
repo-add starts generating databases useless to pacman 5.x

But I'd also be fine with --no-embed-signatures for opting in early, and
switching to --embed-signatures for opting out once we default to --no-*

-- 
Eli Schwartz
Bug Wrangler and Trusted User

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1601 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/pacman-dev/attachments/20200811/0926f16a/attachment.sig>


More information about the pacman-dev mailing list