On Mon, 2011-02-14 at 19:40 +0200, Panu Matilainen wrote: > On 02/14/2011 07:07 PM, James Antill wrote: > > On Mon, 2011-02-14 at 18:37 +0200, Panu Matilainen wrote: > >> Spotted while looking at something related: commit > >> e95f16d8342bc4dcdfde6b8858a8704bc4c1bdf8 causes yum to hold the rpmdb > >> open throughout the remaing package downloads after first signature > >> check happens. Which wont exactly help catching ctrl-c in timely manner... > > > > Blah. We should have thought thought of that, of course it doesn't help > > that C-c has been semi-broken for a while now (and it won't trigger on > > rawhide due to no sig checks -- AFAIK this code is only in rawhide, or > > the rawhide rebuild repos). > > > >> Perhaps the simplest bandaid would be adding an optional argument > >> sigCheckPkg() to automatically nuke the ts after checking and use it for > >> the call from within downloadPkgs(). The downside of this is that it'll > >> cause a bunch of rpmdb re-re-re-opens, depending on the number of repos > >> and their config. There's no helping that with rpm 4.4.x, but with>= > >> 4.6.x rpm doesn't actually need the database for signature checking, it > >> uses an in-memory keyring which is only initially populated from the > >> database. > > > > Yeh, it's probably not worth it ... no sane person has more than 10 > > repos. which downloaded packages have come from, so I bet it's just > > noise even in 4.4.x (and this feature is unlikely to get into RHEL-5 > > anyway). > > > > Another thought, given that, how bad is it to just always nuke to ts on > > 4.6.x+? > > You certainly don't want to nuke the entire ts for each individual > signature check, as it'd result in rpmdb open+close for every single > package in the transaction. Once per-repo would be "bad enough" (if > bearable) already, especially since its technically completely unnecessary. > > Basically the trick with newer rpms is to keep the actual ts, but just > call ts.closeDB() on it once the keyring is loaded. No rocket science, > I'm just trying to figure out how best fit it into the yum ecosystem. >
/me adds another item in favor of detached sigs and/or x509 sigs instead of going through rpm for all of it. -sv _______________________________________________ Yum-devel mailing list [email protected] http://lists.baseurl.org/mailman/listinfo/yum-devel
