Sisyphus v7: Advanced Security & Parallel Infrastructure

Greetings!

I am pleased to announce Sisyphus reached version 7 and is a major overhaul of our package management infrastructure. This update moves Sisyphus toward a more autonomous, high-performance model with a focus on cryptographic authenticity across the entire supply chain.

Security: Detached Signature Verification

While we previously relied on MD5 checksums and file-size validation for integrity, 7.0.0 introduces native cryptographic signature verification.

Full Metadata & Binary Trust: We now sign both the binary packages and the repository indices. This ensures that not only is the software authentic, but the list of available packages hasn't been manipulated.
Security by Isolation: Our signing keys are kept strictly outside the build environment. This isolation ensures that even if a build server is compromised, malicious packages cannot be signed.
Detached Architecture: We use detached signatures rather than embedding them. This allows Sisyphus to verify the package as an immutable blob before parsing the archive. It is more secure and significantly faster—capable of validating hundreds of packages in seconds.
Multithreaded: The verification process is multithreaded to avoid bottlenecks during large system updates.
Branch Logic: Enabled by default on master, disabled on next for testing/development.
User Control: The --verifysig and --no-verifysig options allow you to toggle this behavior, overriding branch defaults when necessary.

Custom Multithreaded Downloader

The requirement for signature handling led to a complete rewrite of the downloading backend. We have replaced the reliable but sequential Portage-based fetching workflow with a custom, multithreaded downloader.

Concurrency: Packages, indices, and signatures are now fetched in parallel in both the CLI and GUI.
Connection Pooling: By utilizing persistent requests.Session() objects, we eliminate redundant TCP handshakes, drastically reducing latency across multi-package downloads.
Idempotency: The downloader remains "smart"—it skips files already present in the local cache to save bandwidth and time.
Performance Benchmark: In internal testing with a batch of 100 large packages, the new multithreaded architecture improved total download time by 400% compared to the previous sequential implementation. Note that these gains are even more pronounced with smaller packages, where the overhead of sequential operations was previously the primary bottleneck.

Mirror Management: BINREPOS

In alignment with upstream Gentoo, we are transitioning from the deprecated PORTAGE_BINHOST to the BINREPOS standard via our updated mirror API.

Branch-Awareness: The API now enforces branch parity. It automatically selects testing mirrors for the next branch and stable for master, overriding conflicting manual selections to ensure system stability.
Backend Cleanup: Since the branch-aware logic ensures a "sane" environment by design, we’ve removed several redundant sanity checks to keep the code lean.
Transition: PORTAGE_BINHOST remains supported for now to ease the migration.

UX Improvements

CLI: The search now provides passive suggestions instead of intrusive interactive prompts.
GUI: Updated for the new API. The kill-timer is now increased to 15 seconds to ensure stability during intensive verification tasks.

[!CAUTION] Breaking Change: Sisyphus v7 is not compatible with v6 versions. The backend and the Qt client must be updated simultaneously.