Arch Linux's Pacman 5.2 Released - Drops Support For Delta Packages, Adds Zstd Support
The Pacman 5.2 package manager for Arch Linux systems is now available with a variety of changes over earlier releases.
Pacman 5.2 notably drops support for delta packages -- the ability to download what has changed between current and new versions of packages. Delta packages/updates are supposed to yield bandwidth savings and time due to only downloading the "diff" between package versions, but ultimately the current implementation didn't work out well. Pacman's delta package handling yielded minimal bandwidth savings and it turned out to be a security hole.
Allan McRae explained the security problem, "Essentially, a malicious package database in combination with delta packages could run arbitrary commands on your system. This would be less of an issue if a certain Linux distro signed their package databases… Anyway, on balance I judged it better to remove this feature altogether. We may come back to this in the future with a different implementation, but I would not expect that any time soon."
Pacman 5.2 also supports downloading PGP keys using the Web Key Directory, in the process of changing Pacman's build system from Autotools to Meson, and many other changes. Of the other changes is support for Zstd compressed packages for Arch as well as Lzip and LZ4 compression support. B2sum has also been added as a new checksum algorithm.
More details on Pacman 5.2 via the release announcement.
Pacman 5.2 notably drops support for delta packages -- the ability to download what has changed between current and new versions of packages. Delta packages/updates are supposed to yield bandwidth savings and time due to only downloading the "diff" between package versions, but ultimately the current implementation didn't work out well. Pacman's delta package handling yielded minimal bandwidth savings and it turned out to be a security hole.
Allan McRae explained the security problem, "Essentially, a malicious package database in combination with delta packages could run arbitrary commands on your system. This would be less of an issue if a certain Linux distro signed their package databases… Anyway, on balance I judged it better to remove this feature altogether. We may come back to this in the future with a different implementation, but I would not expect that any time soon."
Pacman 5.2 also supports downloading PGP keys using the Web Key Directory, in the process of changing Pacman's build system from Autotools to Meson, and many other changes. Of the other changes is support for Zstd compressed packages for Arch as well as Lzip and LZ4 compression support. B2sum has also been added as a new checksum algorithm.
More details on Pacman 5.2 via the release announcement.
26 Comments