FS#48645 - Downgrade via -U of cached packages and LocalFileSigLevel inconsistent?

Attached to Project: Pacman
Opened by Lex Black (TrialnError) - Sunday, 20 March 2016, 16:09 GMT
Last edited by Allan McRae (Allan) - Monday, 21 March 2016, 03:50 GMT
Task Type General Gripe
Category General
Status Closed
Assigned To No-one
Architecture All
Severity Low
Priority Normal
Reported Version 5.0.1
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

I noticed the following behaviour when I downgraded a repo package with -U from the local pacman cache (/var/cache/pacman/pkg) and LocalFileSigLevel set to Required.
When downgrading a package it will fail because of the missing signature file. Technically this is right, but as this was a package from the repo (signed with a packager key) shouldn't it work like it works with -S?
And it kinda looks like, after setting LocalFileSigLevel to optional, that the package and the key is checked, but dunno how to check what happens if the key isn't valid.

So I'm wondering if I'm overlooking some aspects which requires this strict behaviour against outdated repo packages, or if the -U behaviour could be adjusted.
This task depends upon

Closed by  Allan McRae (Allan)
Monday, 21 March 2016, 03:50 GMT
Reason for closing:  Not a bug
Comment by Andrew Gregory (andrewgregory) - Sunday, 20 March 2016, 22:23 GMT
pacman has no way of knowing that a package in your cache is from a repo, nor does it have a signature for the file. -U is doing exactly what it should. If you were to download the signature file to your cache as well, pacman would happily validate it for you.
Comment by Lex Black (TrialnError) - Monday, 21 March 2016, 02:17 GMT
Ok, so -S has significantly different behaviour in that case.
And if it's possible to get the repo signature files I will probably do that. Shouldn't be that complicated.

Thanks for the intel and I suppose this can be closed
Comment by Allan McRae (Allan) - Monday, 21 March 2016, 03:50 GMT
There is a request to store signature files with downloaded packages that would "fix" this.  FS#33091 

Loading...