Wed, 22 Jul 2015 11:54:22 +1000 Allan McRae <[email protected]>: > I searched the archives, but I can not find why we stored the package > PGP signatures base64'd in the repo database rather than downloading > them as needed. Signatures are responsible for ~55% of the Arch repo > database size, so I am guessing there must have been a tradeoff. > > Can anyone provide insight to this? It was 2008...
While I don't code anything, I'm an Archer since at least 2006 and had some time to kill, so here are some historic threads I found interesting/relevant: https://lists.archlinux.org/pipermail/pacman-dev/2008-December/007830.html > So do we download the signature file along with the package? Or use > %PGPSIG% in the db? No answer. https://lists.archlinux.org/pipermail/pacman-dev/2010-November/012014.html "Status of package signing work" https://lists.archlinux.org/pipermail/pacman-dev/2011-February/012410.html "pacman signing security vulnerabilities" --byte
pgpXH6ap_YZ2l.pgp
Description: Digitale Signatur von OpenPGP
