On Sun, 2008-11-30 at 04:22 +0100, vla@xxxxxxxxxxx wrote: > Am So, 30.11.2008, 00:24, schrieb Aaron Griffin: > > > All we'd need is to patch repo-add to include signature data in the > > DB. To do this properly, signatures should be uploaded with the > > package itself, from the packager's machine... hmmm > > > perhaps i missed something, but wouldn´t be the easiest way to download > the db.tar.gz directly from ftp.archlinux.org or another trusted server > and the packages from the mirrors? something like a decentralized system. I think ftp.archlinux.org can be pretty slow sometimes (compared to near-by mirrors), so wouldn't it be equally sufficient to just fetch the DB-checksum from archlinux.org? (Still not as secure as signed DBs though.)
