[pacman-dev] [PATCH] Disable embedded signatures by default

Andrew Gregory andrew.gregory.8 at gmail.com
Sun Aug 30 20:21:54 UTC 2020


On 08/28/20 at 02:37pm, Allan McRae wrote:
> On 27/8/20 10:26 am, Anatol Pomozov wrote:
> > Hi
> > 
> > On Mon, Aug 10, 2020 at 2:45 PM Eli Schwartz <eschwartz at archlinux.org> wrote:
> >> This is the right approach, yeah. I was thinking we'd wait until pacman
> >> 6.1 before stopping the signature embedding, to provide a transition
> >> period for people depending on SigLevel = Required (which should be
> >> everyone, and certainly includes Arch!) to upgrade to 6.x before
> >> repo-add starts generating databases useless to pacman 5.x
> > 
> > There are 2 sets of changes that need to be done:
> > 1) make pacman to use detached signatures instead of embedded ones
> > 2) change "repo-add" to avoid adding embedded signatures
> > 
> > We should release changes for #1 first, test it, make sure that
> > detached signatures fully work (while dbs still have pacman
> > 5.x-compatible embedded sigs). And only then release #2 to get smaller
> > databases compatible with pacman version >= 6.0.
> > 
> > I was thinking #1 can be released with 6.0 and #2 with 6.1.
> 
> I was thinking #2 would be an option to repo-add.  I'm looking at making
> signature embedding only occur with the "--add-signatures" option (or
> whatever I decide to call it).  Arch would need to patch devtools to use
> this option.  They would then make a News announcement about the need to
> have pacman-6.0 installed after 3-6 months and stop repo-add including
> signatures.
> 
> However, I think pacman should always use the signatures in the database
> if they are present.  Particularly if they are not embedded by default.
> 
> So to actually test the detached signature path, I am thinking it best
> to tag 6.0.0beta1, make a package from that tag with a patch to enable
> using detached signatures as a priority.  While that is not an ideal
> approach to testing, I think the current code path is well tested, and
> this should be a reasonably trivial patch.

We should implement FS#33091.  Instead of adding an option to disable
detached signatures, add one to disable embedded signatures.  This
gives anybody that wants to help test a way to do so without forcing
it on people and provides a useful feature for any repos that continue
providing embedded signatures.  I don't even know that we'd need
a beta release because the new behavior would be opt-in and could be
disabled at any time.


More information about the pacman-dev mailing list