[Rpm-maint] Feature request: Improved speed for 'rpm -qa'

James Olin Oden james.oden at gmail.com
Tue Dec 19 21:09:51 UTC 2006


On 12/19/06, Axel Liljencrantz <liljencrantz at gmail.com> wrote:
> On 12/19/06, James Olin Oden <james.oden at gmail.com> wrote:
> > <snip>
> >
> > > Even on my 300 MHz system, it only takes about 0.02 seconds. Is there
> > > any chance that regular rpm could be made this fast, or is this too
> > > much of a hack to include there? I don't think that bundling a special
> > > command for querying the rpm database together with a general purpose
> > > OS agnostic commandline shell is the proper way to do this...
> > >
> > > By the way, why is this a hack? Is the index not updated when an entry
> > > is removed or something? If not, indexes are there to be used!
> > >
> >
> > I think the main thing you have to ask is why did some customers want
> > every header whether it be in a package or database to always have its
> > signature verified?  Did they see something we do not?
> >
> > I always thought that it was enough to check the header at install
> > time when it was being inserted into the DB, but now I can see why one
> > might want to do this check even on queries, as a query is often used
> > as input into some larger process.  The person running the "process"
> > may have all authority to do what they are going to do based on the
> > inputs from the rpm DB, and have no malicious intent, but rogue data
> > may make them do something they would not have otherwise done.
> >
> > Security is always a trade off with something else, though.  I'm just
> > trying to make sure everyone is considering that the way rpm works now
> > was driven by someones customers somewhere.
>
> Your arguments make sense, security by default is the right thing. I
> would note that hiding unsigned packages could be used to hide the
> existance of an 'evil' package, but that is a topic for a different
> discussion.
>
> What a shell needs for tab completions is a list of _all_ installed
> packages, even unsigned/b0rked/evil ones. Actually, the user is _more_
> likely to want to deal with one of those rouge packages, so they are
> extra important to include in the completion list. And for an
> interactive shell, it is very important for the list to be generated
> quickly, verifying each signature seems to take far too much time.
>
> So the added security is actually bad in two separate ways when it
> comes to tab completions.  I would argue that since command specific
> tab completions are becoming more and more common, it makes lots of
> sense for rpm to be 'completion friendly', though as a shell developer
> I may be biased.
>
> It would be fine with me if the current interface was kept, but an
> additional switch was added which makes things go really fast.
>
Agreed.   As it is, and I think its been mentioned, you can turn off
the digest checking both within the API and on the CLI (--nodigests),
and this should speed things up immensely.

Is there something else your looking for?

Cheers...james



More information about the Rpm-maint mailing list