On Nov 30, 2009, at 5:17 PM, Joshua Burns wrote:
> Just got rpm 5.1.9 compiled on Solaris, and have noticed that, after GPG keys are installed in the RPM database, "rpm -qa" performance slows noticeably. Cryptosignatures are a key element of our plans for packaging, so forgoing them would be a pretty big issue.
> Any thoughts?
The terms "key element " and "forgoing" seem to be at odds with each other.
I'm not sure whether you want fast crypto or no crypto.
So here's both answers, as well as the "development" answer:
rpm has _THREE_ crypto implementations (if built that way):
They are selectable with
RPM is also insturmented with its own benchmarking using --stats.
Build, measure, use fastest.
For extra credit, try using callgrind. BeeCrypt is 10-15% faster.
Otherwise, one can disable signature/digest checking persistently on rpm -qa using
Verify digest/signature flags for various rpm modes:
# 0x30300 (_RPMVSF_NODIGESTS) --nohdrchk if set, don't check digest(s)
# 0xc0c00 (_RPMVSF_NOSIGNATURES) --nosignature if set, don't check signature(s)
# 0xf0000 (_RPMVSF_NOPAYLOAD) --nolegacy if set, check header+payload (if possible)
# 0x00f00 (_RPMVSF_NOHEADER) --nohdrchk if set, don't check rpmdb headers
# For example, the value 0xf0c00 (=0xf0000+0xc0c00) disables legacy
# digest/signature checking, disables signature checking, but attempts
# digest checking, also when retrieving headers from the database.
# The checking overhead was ~11ms per header for digests/signatures on
# a 600 Mhz Dell SMP server circa 1998.
# Each header from the database is checked only when first encountered
# for each database open.
# Note: the %_vsflags_erase applies to --upgrade/--freshen modes as
# well as --erase.
NO CRYPTO NEEDED
Note that rpm on cvs HEAD no longer bothers with digest/signature checks
on rpmdb Headers. Its kinda pointless to verify memory that is PROT_READ
protected using mmap(2) (as on cvs HEAD).
The signature needs to be verified only when installing.
So far rpm -qa is merely 3x faster:
$ /usr/bin/time rpm -qa > /dev/null
0.00user 0.58system 0:00.66elapsed 88%CPU (0avgtext+0avgdata 0maxresident)k
0inputs+0outputs (0major+63810minor)pagefaults 0swaps
And I expect faster yet when headerLoad() is eliminated, and rpm -qa reads installed
package names solely from an rpmdb table.
Note that Berkeley DB will do sha1 digest checking if one _REALLY_
needs that level of integrity checking on data elements.
73 de Jeff
Received on Mon Nov 30 23:59:40 2009