RPM Community Forums

Mailing List Message of <rpm-users>

Re: rpm -qa performance with GPG key(s) installed in the DB

From: Joshua Burns <joshuaburns@yahoo.com>
Date: Fri 04 Dec 2009 - 22:50:10 CET
Message-ID: <354107.49361.qm@web52906.mail.re2.yahoo.com>
Hi Jeff, thanks for the information. 

openssl is significantly faster and should make performance a non-issue. 

I noticed in earlier posts that you were contemplating or had planned on creating a macro for --usecrypto - does a macro for this option exist currently in 5.1.9? 

73 de Josh

--- On Mon, 11/30/09, Jeff Johnson <n3npq@mac.com> wrote:

From: Jeff Johnson <n3npq@mac.com>
Subject: Re: rpm -qa performance with GPG key(s) installed in the DB
To: rpm-users@rpm5.org
Date: Monday, November 30, 2009, 5:59 PM

On Nov 30, 2009, at 5:17 PM, Joshua Burns wrote:

Just got rpm 5.1.9 compiled on Solaris, and have noticed that, after GPG keys are installed in the RPM database, "rpm -qa" performance slows noticeably. Cryptosignatures are a key element of our plans for packaging, so forgoing them would be a pretty big issue. 

Any thoughts? 

The terms "key element " and "forgoing" seem to be at odds with each other.
I'm not sure whether you want fast crypto or no crypto.
So here's both answers, as well as the "development" answer:
FAST CRYPTO============

rpm has _THREE_ crypto implementations (if built that way):	BeeCrypt	NSS	OpenSSL
They are selectable with	--usecrypto	bc	--usecrypto	nss	--usecrypto	openssl
RPM is also insturmented with its own benchmarking using --stats.
Build, measure, use fastest.
For extra credit, try using callgrind. BeeCrypt is 10-15% faster.

NO CRYPTO===========
Otherwise, one can disable signature/digest checking persistently on rpm -qa using
       Verify digest/signature flags for various rpm modes:#       0x30300 (_RPMVSF_NODIGESTS)    --nohdrchk      if set, don't check digest(s)#       0xc0c00 (_RPMVSF_NOSIGNATURES) --nosignature   if set, don't check signature(s)#       0xf0000 (_RPMVSF_NOPAYLOAD)    --nolegacy      if set, check header+payload (if possible)#       0x00f00 (_RPMVSF_NOHEADER)     --nohdrchk      if set, don't check rpmdb headers##       For example, the value 0xf0c00 (=0xf0000+0xc0c00) disables legacy#       digest/signature checking, disables signature checking, but attempts#       digest checking, also when retrieving headers from the database.##       The checking overhead was ~11ms per header for digests/signatures on#       a 600 Mhz Dell SMP server circa 1998.##       Each header from the database is checked only when first encountered#       for each database open.##       Note: the %_vsflags_erase applies to
 --upgrade/--freshen modes as#       well as --erase.#%__vsflags              0xf0000%_vsflags_build         %{__vsflags}%_vsflags_erase         %{__vsflags}%_vsflags_install       %{__vsflags}%_vsflags_query         %{__vsflags}%_vsflags_rebuilddb     %{__vsflags}%_vsflags_verify        %{__vsflags}

NO CRYPTO NEEDED==================
Note that rpm on cvs HEAD no longer bothers with digest/signature checkson rpmdb Headers. Its kinda pointless to verify memory that is PROT_READprotected using mmap(2) (as on cvs HEAD).
The signature needs to be verified only when installing.
So far rpm -qa is merely 3x faster:     $ /usr/bin/time rpm -qa > /dev/null     0.00user 0.58system 0:00.66elapsed 88%CPU (0avgtext+0avgdata 0maxresident)k     0inputs+0outputs (0major+63810minor)pagefaults 0swaps
And I expect faster yet when headerLoad() is eliminated, and rpm -qa reads installedpackage names solely from an rpmdb table.
Note that Berkeley DB will do sha1 digest checking if one _REALLY_needs that level of integrity checking on data elements.
73 de Jeff


Received on Fri Dec 4 22:50:28 2009
Driven by Jeff Johnson and the RPM project team.
Hosted by OpenPKG and Ralf S. Engelschall.
Powered by FreeBSD and OpenPKG.