[pacman-dev] [PATCH] Disable embedded signatures by default

Eli Schwartz eschwartz at archlinux.org
Sun Aug 30 17:41:40 UTC 2020

On 8/26/20 8:26 PM, Anatol Pomozov wrote:
> The purpose of the change is to start using the detached signatures
> codepath. The detached signatures are shipped with repos for a long
> time and pacman can handle it. Now it is time to actually enable it by
> default.
>  "UseEmbeddedSignatures" option has been added as a fallback plan in
> case we find that the detached signatures codepath is broken. Do you
> think this is too much hassle and we should just start using detached
> signatures by default without any fallback config option?

I already stated my opinion.

Firstly, that we should NOT add a configuration option for this, since
it is a burden on the manpage and is completely useless except for
development testing.

Secondly, I believe we should continue to check both, because I see no
compelling reason to reject perfectly working functionality for no
reason, plus you have no way of knowing if there are thirdparty
repositories which locally generate databases with sigs, but then only
upload the packages and databases, but not the sigs (on the grounds that
they won't be used so why bother).

We don't just care about Arch Linux. Also, we don't just care about the
official repos, even for Arch Linux use. Before instituting a breaking
change, we need a better reason than "this is a convenient way for a
pacman developer to test whether or not pacman is broken".

>> This is the right approach, yeah. I was thinking we'd wait until pacman
>> 6.1 before stopping the signature embedding, to provide a transition
>> period for people depending on SigLevel = Required (which should be
>> everyone, and certainly includes Arch!) to upgrade to 6.x before
>> repo-add starts generating databases useless to pacman 5.x
> There are 2 sets of changes that need to be done:
> 1) make pacman to use detached signatures instead of embedded ones
> 2) change "repo-add" to avoid adding embedded signatures
> We should release changes for #1 first, test it, make sure that
> detached signatures fully work (while dbs still have pacman
> 5.x-compatible embedded sigs). And only then release #2 to get smaller
> databases compatible with pacman version >= 6.0.
> I was thinking #1 can be released with 6.0 and #2 with 6.1.

My vote is to not do #1 at all. I do not see why you keep insisting it
"needs" to be done. #2 is all we need to generate test repositories.

Here is a script to generate test repositories:

ssh pkgbuild.com
cd public_html/repo
mkdir x86_64-detachedsigs
cd mkdir x86_64-detachedsigs

bsdtar -xOf ../x86_64/eschwartz.db.tar.gz | awk
'/^%FILENAME%/{getline;print}' | while read -r line; do
    cp -v ../x86_64/"$line" ./

repo-add eschwartz.db.tar.gz *.pkg.tar*

bsdtar -xOf ../x86_64/eschwartz.db.tar.gz | awk
'/^%FILENAME%/{getline;print}' | while read -r line; do
    cp -v ../x86_64/"$line".sig ./

Here is a test repo you can verify against:

Server = https://pkgbuild.com/~eschwartz/repo/x86_64-detachedsigs/

Eli Schwartz
Bug Wrangler and Trusted User

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1601 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/pacman-dev/attachments/20200830/de1ab166/attachment-0001.sig>

More information about the pacman-dev mailing list