[pacman-dev] [ Package Signing ] Your signature please

Allan McRae allan at archlinux.org
Sat Feb 19 08:24:04 EST 2011 

On 19/02/11 22:55, Daniel Mendler wrote:
> Hi Allan
>
>> I will repeat myself again...  Patches for pacman do bugger all for
>> getting signatures into Arch Linux repos.   Patches for the Arch Linux
>> devtools/db-scripts packages are needed.
>
> Well, Pierre says the same for pacman. Someone has to take the first
> initiative here.

Well, he is wrong... :P

I will post why in reply to that message soon.

>> And I will once again point to the package signing TODO page for a list
>> of what we need to do at a minimum before this becomes integrated in the
>> main pacman branch:
>> https://wiki.archlinux.org/index.php/User:Allan/Package_Signing
>> As with all feature branches, they integrated into master when they are
>> finished.  Otherwise we can not make a release without actually getting
>> it fully completed or backing out the unfinished work.  Given the rate
>> this has been developed, the second seems the likely outcome.
>
> I understand that it should be finished before it is merged. What is
> missing is a strong statement from the development team that they want
> signatures asap. I think there are enough people who are willing to
> provide patches (me included) if you show real interest in package signing.

What a load of bullshit.   The first patch was submitted over two years 
ago and immediately pulled into a branch.  But as has happened 
repeatedly, that person disappeared and never finished.  All further 
work by other people was also reviewed and/or pulled to one of the main 
developers git branches fairly quickly after posting.  And we have 
repeatedly said "patches welcome".  I'm not sure how much clearer we 
could be that this is an area that we would be happy for people to work on.

>> Finally, "minor" performance issues interest me a hell of a lot more
>> than package signing.  Mainly because that actually affects me whereas
>> unsigned packages really does not...  That is why I spent my free time
>> implementing them.  Thinking about it, improving optdepends handling,
>> transaction hooks, VCS support in makepkg, adding a test suite for
>> makepkg, automatic creation of debug packages, ....  all affect me more
>> than package signing does, so I maybe will start work on package signing
>> again once those are finished.
>
> You really have to rethink your priority list here. Those attacks on
> package managers are known for a long time and the package signing point
> has come up very often on the pacman mailing list. So there are people
> who are concerned about it.

As I said, it really does not affect me.  I use the master server for my 
repo db downloads and know exactly which package updates to expect given 
I see all commits to our svn repos.  So the scope in which I could be 
attacked is very small and I am prepared to take that risk.  So my 
priorities are clearly different to other peoples.  The key difference 
is, I submit patches to implement what I consider a priority...

Allan

More information about the pacman-dev mailing list