Hi On Wed, Jul 8, 2020 at 8:22 PM Allan McRae via arch-dev-public <arch-dev-public@archlinux.org> wrote: > > On 9/7/20 1:05 pm, Anatol Pomozov wrote: > > Given this information I would like to propose to stop using embedded > > signatures and move to detached signatures by default. This will > > require pacman 6.x or as alternative backport the fix(es) to 5.x > > branch. It will help to make system updates even faster, something > > that me and many other Arch users really love. > > There are several steps we need to complete: > > 1) backport the patch (or wait for pacman-6.0, which may be a while > yet). I'll leave that to the distro packagers to decide! > > 2) adjust repo-add to optionally add signatures. > > 3) make a time line that all users need to have the patched/released > pacman installed - we usually require at least 6 months. > > 4) turn off signature inclusion in repo dbs.
It sounds great. If we go this route for pacman 6.0 then it will take about 1 year to switch to the detached signatures. As it is quite an important change I would love to see its codepath tested as much as possible before we remove the embedded signatures from pacman database files. It will help to catch issues like https://bugs.archlinux.org/task/67232. What do you think about starting to use detached signatures by default *and* having embedded signatures as a backup option for time being? i.e. pacman database will have the signatures (the same as now) but it will be ignored. Instead pacman will use the detached *.sig files. And in case if there is a major issue with this implementation then a user would be able to switch back to embedded signatures using a pacman.conf option (e.g. "UseEmbeddedSignatures"). If folks are fine with it I can implement a patch for it.