[pacman-dev] [PATCH] repo-add: add --include-sigs option

Mon Sep 21 05:51:53 UTC 2020

On 09/21/20 at 03:19pm, Allan McRae wrote:
> On 4/9/20 12:55 pm, Allan McRae wrote:
> > On 4/9/20 12:40 pm, Eli Schwartz wrote:
> >> On 9/2/20 11:02 PM, Allan McRae wrote:
> >>> Pacman now downloads the signature files for all packages when present in a
> >>> repository.  That makes distributing signatures within repository databases
> >>> redundant and costly.
> >>>
> >>> Do not distribute the package signature files within the repo databases by
> >>> default and add an --include-sigs to revert to the old behaviour.
> >>
> >> As I've mentioned on the list before, I would like an --ignore-sigs
> >> option and continue to distribute sigs by default for pacman 6.0
> >>
> >> In pacman 6.1 we'll switch by default to ignoring them, and let people
> >> use --include-sigs to revert to the old behavior.
> >>
> >> Ignoring sigs right out of the gate means the default behavior of
> >> repo-add is to be unusable for people upgrading from pacman N-1. For
> >> example, Arch Linux would most certainly need to use the option to
> >> provide backwards compat while upgrading. So do third-party repositories.
> >>
> >> Also: this option cannot be added to scripts ahead of time, since
> >> repo-add will error on an unknown option, and it cannot be added after
> >> the fact, since some packages will be broken in the meantime.
> >>
> >> I don't see what the rush is here to add behavior that no one will want
> >> to use.
> >> - It makes sense to make this configurable now that it's useful to be
> >>   able to ignore them.
> >> - At the same time, defaults should be based on what is more likely for
> >>   people to want.
> >>
> > 
> > I really do not like the idea of adding an option, just to remove it in
> > the next release.   But we won't actually be able to remove it for at
> > least two releases, as you have just made the case that people won't be
> > able to change their scripts on release.
> > 
> > Given pacman-6.0 is likely a few months out,  can we do a 5.2.3 release
> > including something like:
> > 
> 
> Any feedback on this option?

I would suggest just allowing the user to specify either way
(--include-sigs/--no-include-sigs, --include-sigs={yes,no}, etc).
Then uses can specify whatever they want without having to worry about
what we set as a default.

> > 
> > diff --git a/doc/repo-add.8.asciidoc b/doc/repo-add.8.asciidoc
> > index 8de4485b..19e2336a 100644
> > --- a/doc/repo-add.8.asciidoc
> > +++ b/doc/repo-add.8.asciidoc
> > @@ -70,6 +70,10 @@ repo-add Options
> >  	Remove old package files from the disk when updating their entry in the
> >  	database.
> > 
> > +*\--include-sigs*::
> > +	Dummy option for forward compatibility with pacman-6.0.
> > +	Include package PGP signatures in the repository database (if available)
> > +
> > 
> >  Example
> >  -------
> > diff --git a/scripts/repo-add.sh.in b/scripts/repo-add.sh.in
> > index b0b3505d..ee010dba 100644
> > --- a/scripts/repo-add.sh.in
> > +++ b/scripts/repo-add.sh.in
> > @@ -43,6 +43,7 @@ LOCKFILE=
> >  CLEAN_LOCK=0
> >  USE_COLOR='y'
> >  PREVENT_DOWNGRADE=0
> > +INCLUDE_SIGS=0
> > 
> >  # Import libmakepkg
> >  source "$LIBRARY"/util/message.sh
> > @@ -631,6 +632,9 @@ while (( $# )); do
> >  		-p|--prevent-downgrade)
> >  			PREVENT_DOWNGRADE=1
> >  			;;
> > +		--include-sigs)
> > +			INCLUDE_SIGS=1
> > +			;;
> >  		*)
> >  			args+=("$1")
> >  			;;
> > .
> > 