Welcome to the Pacman bug tracker. Please search the current bugs and feature requests before filing a new one! Use advanced search and select "Search in Comments".
* Please select the correct category and version.
* Write a descriptive summary, background info, and provide a reproducible test case whenever possible.
* Please select the correct category and version.
* Write a descriptive summary, background info, and provide a reproducible test case whenever possible.
FS#26729 - Implement -U --no-signature
Attached to Project:
Pacman
Opened by Thomas Bächler (brain0) - Thursday, 03 November 2011, 14:31 GMT
Last edited by Allan McRae (Allan) - Thursday, 07 February 2013, 00:55 GMT
Opened by Thomas Bächler (brain0) - Thursday, 03 November 2011, 14:31 GMT
Last edited by Allan McRae (Allan) - Thursday, 07 February 2013, 00:55 GMT
|
DetailsWhen the package signing infrastructure is fully implemented, users will want to use pacman with 'SigLevel = (Package)Required'. On the other hand, not every AUR user has a personal key for signing packages as a trusted key in their own pacman keyring.
When you use a PKGBUILD to build and install a package locally, there is no need to first sign it and then verify the signature. With 'SigLevel = PackageRequired', pacman -U will refuse to install an unsigned package, requiring the user to modify pacman.conf (set SigLevel=PackageOptional), and later revert the modification. For the convenience of using locally built packages, a '--no-signature' flag for the '-U' operation should be implemented. Optionally, this flag could be restricted to only take effect when installing a local file, instead of a URL. |
This task depends upon
Closed by Allan McRae (Allan)
Thursday, 07 February 2013, 00:55 GMT
Reason for closing: Implemented
Additional comments about closing: pacman.conf options added in 33b3b6d9
Thursday, 07 February 2013, 00:55 GMT
Reason for closing: Implemented
Additional comments about closing: pacman.conf options added in 33b3b6d9
1. Do as proposed
2. Add a 'UpgradeSigLevel' parameter or similar. This would be the level used on -U operations if specified (as opposed to SigLevel being used for -S operations). The name is a tad misleading, however.
3. 2 + 'UpgradeUrlSigLevel' or similar. Only to be complete, and from what I think I know, there are three basic ways to install a package: 1) locally from a file, 2) remotely from a URL, and 3) sync operation.
1) locally from a file (-U)
Either allow overriding the SigLevel from the command line (still my favorite), or allow to configure a different SigLevel for this operation only.
2) remotely from a URL (-U)
3) sync operation (-S)
Only way to override SigLevel is to change SigLevel in pacman.conf. No convenience options or overrides.
IMHO, this allows for the best usability for the casual AUR user while at the same time keeping the user from "doing stupid things".
OTOH, what I just said is inconsistent: We already allow different SigLevels for different repos, so we could treat case 1) and 2) like repositories - a virtual "-U local file" and "-U url" repository.