[pacman-dev] [PATCH] repo-add: add --include-sigs option

Eli Schwartz eschwartz at archlinux.org
Fri Sep 4 02:40:54 UTC 2020


On 9/2/20 11:02 PM, Allan McRae wrote:
> Pacman now downloads the signature files for all packages when present in a
> repository.  That makes distributing signatures within repository databases
> redundant and costly.
> 
> Do not distribute the package signature files within the repo databases by
> default and add an --include-sigs to revert to the old behaviour.

As I've mentioned on the list before, I would like an --ignore-sigs
option and continue to distribute sigs by default for pacman 6.0

In pacman 6.1 we'll switch by default to ignoring them, and let people
use --include-sigs to revert to the old behavior.

Ignoring sigs right out of the gate means the default behavior of
repo-add is to be unusable for people upgrading from pacman N-1. For
example, Arch Linux would most certainly need to use the option to
provide backwards compat while upgrading. So do third-party repositories.

Also: this option cannot be added to scripts ahead of time, since
repo-add will error on an unknown option, and it cannot be added after
the fact, since some packages will be broken in the meantime.

I don't see what the rush is here to add behavior that no one will want
to use.
- It makes sense to make this configurable now that it's useful to be
  able to ignore them.
- At the same time, defaults should be based on what is more likely for
  people to want.

-- 
Eli Schwartz
Bug Wrangler and Trusted User

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1601 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/pacman-dev/attachments/20200903/8ebf64ad/attachment.sig>


More information about the pacman-dev mailing list