You are not logged in.

#1 2024-07-09 13:26:36

stolab
Member
Registered: 2024-07-09
Posts: 3

Pacman default package signature check

Hi,
I'm currently reading about pacman and checking more specifically how the package signature is checked.
From what I understood, by default pacman use the optional SigLevel option which means package with a signature will be checked and the signature should be valid but packages without signature will be installed as well.
However when installing arch, the /etc/pacman.conf is by default generated and overwrite this default behavior with the line

 SigLevel    = Required DatabaseOptional 

Why not by default require the signature instead of enforcing it in the config file ? Is it a specific design choice ?

Offline

#2 2024-07-09 13:32:39

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 29,891
Website

Re: Pacman default package signature check

I've never really understood this variety of question: when there are different options that will satisfy different target audiences one must be selected as a default.  Whichever one is chosen, some people could ask "why this setting instead of the other".

The pacman.conf for arch linux requires signatures because all of our main repo packages are signed, so we can benefit from the added security requirement.


"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman

Online

#3 2024-07-09 13:41:36

stolab
Member
Registered: 2024-07-09
Posts: 3

Re: Pacman default package signature check

I'm not judging the choice I was just wondering if there was any reason I couldn't think of (performance, security, whatever).
That's indeed primordial to benefit from the added security requirement.

Thanks for your answer

Offline

#4 2024-07-09 13:55:01

seth
Member
Registered: 2012-09-03
Posts: 54,422

Re: Pacman default package signature check

I can reason it, but don't know whether that's the actual background.

libalpm started out w/o any package signing support and when that was added it was therefore defaulted to optional to maintain backward compatibility (libalpm is not exclusively used by arch) but the arch configs of course take advantage of the distros support.

Offline

#5 2024-07-10 07:50:02

stolab
Member
Registered: 2024-07-09
Posts: 3

Re: Pacman default package signature check

oooh okay sense for the backward compatibility indeed.

Thanks for your answer seth !

Offline

Board footer

Powered by FluxBB