Hi Giancarlo On Tue, Jul 28, 2020 at 12:35 PM Giancarlo Razzolini <grazzol...@archlinux.org> wrote: > This could be maintained as a patch on the package, it doesn't necessarily > have to be > on pacman's code itself. Just so we make this transition as painless as > possible to users.
Having a seamless transition to the new technology is definitely a top priority here. > Can't we go with a different option here? Instead of an option the user sets > on their end, we make pacman fallback to embedded db sigs, if there are no > detached > *or* if the signature check fails for some reason. The detached signatures are generated by makepkg toolset since a long time ago. *.sig files are already in the Arch standard repository. I also looked through a dozen of random repos at https://wiki.archlinux.org/index.php/Unofficial_user_repositories and all of them have *.sig files for the packages. At this point we are trying to enable the detached signatures handling at the client side while having a backup option to disable it. Let me know about a specific situation when detached signatures cause an issue.
