On 19/4/20 1:15 pm, Anatol Pomozov wrote: >> + /* TOASK: do we need to initiate *.sig file download >> here? */
> One question with this change is whether we need to download the > package signatures here. > > It looks like the current codepath does not try to download *.sig > files. But at other place that fetches packages (alpm_fetch_pkgurl) we > actually *do* download sig files. So there is inconsistency between > different download codepaths. > > Also Arch does not use detached *.sig files for the packages. So I am > not sure what is the current plan regarding package signature files. Arch does have detached .sig files on its mirrors. The two download paths currently are: 1) -S <pkg>: this uses the signature from the db 2) -U <url>: this uses a signature if it finds one There is a bug report, which we have discussed implementing that asks us to always download signatures. It would be good to add this while you are working on this area. This has several advantages. We can verify packages in our cache, even if they are no longer in the database. And we could drop signatures from the databases, making them substantially smaller (we added them when the overhead was lower due to using less secure signing keys). Allan
