-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Change conda-content-trust
from pre-solve to post-solve
#11545
Change conda-content-trust
from pre-solve to post-solve
#11545
Conversation
723a40d
to
f68e690
Compare
f68e690
to
497bd65
Compare
conda-content-trust
logic into conda-content-trust
conda-content-trust
from pre-solve to post-solve
Is there any info on how much the process will be sped up? |
@LtDan33, @awwad did some super rough testing a few weeks ago using
We see that with post-solve and sig verification disabled a slight slowdown occurred. This is likely due to the deepcopy (which can be addressed with changes to CCT itself) that I had to add but overall we see a good speedup from the pre-solve to post-solve. |
e93c051
to
5131ef0
Compare
[ | ||
signature_verification(self), | ||
], |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This can be refactored pretty nicely (in the future) using the plugin framework:
@conda.plugins.register
def conda_metadata():
return signature_verification
[ | |
signature_verification(self), | |
], | |
pm.hook.conda_metadata(), |
Performance is good now. Will share times later. Code looks good to me. Basic happy path tests are good. Still doing manual testing due to missing tests in conda. Ken, how do you feel about a feature branch for this? I'd approve this PR for a feature branch, but it can't get released without more testing. (TBC, this can still be manual testing for now, and I'm still working on that.) |
e509484
to
e0a206c
Compare
It's still looking for an fn and signatures in this line, which are no longer arguments. Note that this function is now fed only one record, so it is now implicit that the record is the correct one. Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
as Ken suggested. Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
e0a206c
to
b1f3746
Compare
Description
In an effort to speed up package signature verification we move the verification process to occur after solving. This way only the packages included in the transaction are validated (tens of packages, not thousands).
A secondary goal was to move even more of the signature verification logic intoconda-content-trust
itself. This is in preparation for making this a conda plugin once the framework is available (#11435). With this change, conda knows/cares even less about what and how signature verification happens.Depends on #11646
Resolves #11154
See conda/conda-content-trust#29Checklist - did you ...
news
directory (using the template) for the next release's release notes?