[arch-dev-public] [dbscripts] [PATCH] Add signature files to update/move/remove targets
Pierre Schmitz
pierre at archlinux.de
Fri Apr 1 15:58:44 EDT 2011
On Fri, 1 Apr 2011 21:54:30 +0200, Rémy Oudompheng wrote:
> On 2011/4/1 Pierre Schmitz <pierre at archlinux.de> wrote:
>> On Fri, 1 Apr 2011 00:54:57 +0200, Rémy Oudompheng wrote:
>>> Signature files are optional and the previous behaviour
>>> is unchanged when signatures files do not exist.
>>>
>>> Signed-off-by: Rémy Oudompheng <remy at archlinux.org>
>>> ---
>>> This patch was already posted with very slight differences
>>> on the mailing-list by Allan. It needed several changes to
>>> fit the current state of dbscripts. I hope this one will
>>> allow to move forward.
>>>
>>> Still nothing in the test suite: we would need to run
>>> gpg after the extra-*-build invocation and extra checks
>>> for the presence/absence of signature files in the repos.
>>
>> I am a little confused by this patch. If I get the current repo-add
>> code right, gpg signatures will be base64 encoded and added to the db
>> files. So there should be no need to provide .sig files for every single
>> package.
>>
>
> Then I'm also confused by our current handling of signatures.
> Do we have decided anything about that?
> Why did Allan suggest this patch?
> How can repo-add put signatures in db files if signatures are not
> available in the package pool? (we probably don't want to extract the
> signature and copy it when moving packages between repos)
I think it will work this way:
* you upload the package and its separate signature into your staging
dir
* repo-add will add the pacakge's meta data and signature into the
database file
> In my current understanding:
> * package pool holds packages and their signature files, and serves as
> the basis for generating databases
> * repo directories ($repo/os/$arch) contain symlinks to packages,
> databases which are generated by repo-add, and the signature file for
> the database.
The package's signatures are kept within the db file. The only separate
.sig file that will be visible in the repos is the one for the db file
itself.
--
Pierre Schmitz, https://users.archlinux.de/~pierre
More information about the arch-dev-public
mailing list