Welcome to Linux Forums! With a comprehensive Linux Forum, information on various types of Linux software and many Linux Reviews articles, we have all the knowledge you need a click away, or accessible via our knowledgeable members.
Find the answer to your Linux question:
Write an article for LinuxForums Today! Win Great Prizes!
Arch recently released version 4 of pacman, which brings in many new features and slaved over by 24 contributors. One of the most notable is the transition to package signing and verification. While this has been a highly debated topic, it is a welcome addition. This new addition though brings in a feature that many say they have been lacking for at least a couple of years. One main thing is that it is not fully functional as of yet and when installing or upgrading to v.4 package signing is turned off by default, until the developers finish working out the rest of the kinks. Most of the controversy over package signing for the distribution has merits on both ends, what many seem to forget is that tarballs from upstream sources/mirrors are generally not signed, such as Gnome for example and is not only limited to them. Repo-add is another great new feature that has been incorporated into this release as well as many fixes.
Those upgrading need to make sure diff their pacman.conf and pacman.conf.pacnew files and incorporate things accordingly. Once you are finished installing the upgrade it will suggest you run pacman-key init to setup the keying, you can do this even if you are not transitioning fully to package signing and waiting on its completion. They have also put up a script to help the importing of the required key, https://wiki.archlinux.org/index.php/Pacman-key#Script_to_add_the_required_PGP_keys. Users of yoart and package-query will need to remove those two packages first to avoid complications in the upgrade, I personally user packer for my wrapper and had no issues while upgrading.
The wiki has been updated accordingly and Allen McRae has a 4 part series on the new feature set http://allanmcrae.com/2011/08/pacman-package-signing-1-makepkg-and-repo-add/. Therefore, if one of the main reasons you have been avoiding Arch is due to this feature missing from the OS, you may want to take another look at on e of the top rolling release distributions out there, with what in my opinion is the best package manager. Now new and old users alike can feel more secure in verifying their packages, no matter which side you were on.