On 19/02/11 15:18, Daniel Mendler wrote:
The mail by IgnorantGuru is very much what I was going to write. There
is no problem in adding signatures to the Arch repositories immediately.
You always say that pacman is not the same as Arch. This might be true,
but which major distribution uses pacman? We should not argue about
those subtile differences.
I pulled the main pacman branch, merged Allan's gpg-patches and created
a signed repository - everything worked fine (Except for example
overwriting the db with a unverified one before verifing - I can provide
patches for this in one week). You always say that you need patches, but
what exactly? You seem to have a working implementation but you don't
integrate these into master. Instead you work on minor performance
issues (Single file database for example) even though we have a very
serious security problem.
I will repeat myself again... Patches for pacman do bugger all for
getting signatures into Arch Linux repos. Patches for the Arch Linux
devtools/db-scripts packages are needed.
And I will once again point to the package signing TODO page for a list
of what we need to do at a minimum before this becomes integrated in the
main pacman branch:
https://wiki.archlinux.org/index.php/User:Allan/Package_Signing
As with all feature branches, they integrated into master when they are
finished. Otherwise we can not make a release without actually getting
it fully completed or backing out the unfinished work. Given the rate
this has been developed, the second seems the likely outcome.
Finally, "minor" performance issues interest me a hell of a lot more
than package signing. Mainly because that actually affects me whereas
unsigned packages really does not... That is why I spent my free time
implementing them. Thinking about it, improving optdepends handling,
transaction hooks, VCS support in makepkg, adding a test suite for
makepkg, automatic creation of debug packages, .... all affect me more
than package signing does, so I maybe will start work on package signing
again once those are finished.
Allan
