[pacman-dev] [ Package Signing ] Your signature please

[Allan McRae]

On 20/02/11 10:36, Daniel Mendler wrote:
> I think this should also go to a much more technical level. We have the
> gpg tree in Allan's repository. As I said I tested it with a repository
> and got it to work. So can you tell me what do you need till this can be
> merged into master?
>
> 1. Design a strategy to manage the keyrings and adapt the tools to it
> 2. Patches for the issues on the Package Signining Wiki Page
> 3. Patches to db-scripts to manage the database with gpg signatures
>
> Some of the issues on the wiki page are really minor (e.g. rename
> option). There are more complex ones (replacing verified db with
> unverified one, reworking the signature checking code when using pacman
> -U). And there are already patches for some of the issues.
>
> So what do you say about the code quality of the branch? It it
> acceptable at this point or is there improvement needed? Are there other
> blockers preventing you from merging it as soon as the points above are
> solved?

As far as I am concerned, the major points on the TODO list that need 
patches are the first five for pacman:

TODO: fix (and refactor) reading signatures for packages installed with -U
TODO: have a way to force a signature check with -U (i.e. abort if no 
signature is found)
TODO: only replace old database when signature is valid
TODO: output when downloading signature file - name when downloaded
TODO: output when downloading signature file - "error" when not available


The other issues are all fairly minor (and the pacman-key/makepkg ones 
mostly have patches that just need revised already).

So if patches are submitted for those five points, and any criticism 
followed up, I will commit to then spending the time doing the needed 
tidying/rebasing of the code on my gpg branch to have it suitable for 
merging.

Allan