On Jul 5, 2016, at 10:24 AM, Robert Yang wrote: > Hi, > > I'm using rpm 5.4.16, it seems that --nosignature has been disabled > as system.h shows: > #undef SUPPORT_NOSIGNATURES >
Yes. YL;DR Change SUPPORT_NOSIGNATURES back to whatever you wish. > So that rpm --nosignature doesn't work, and when many processes(for example, > 30) of "rpm -qp --nosignature file.rpm" are running, there might be race > issues since they are trying to get locks for the db, and they may hang up. > I've made a rough patch to make --nosignature work, they processes can > run well without hang up. Here is the patch, and I will send it formally > if you are fine with it. > Um this isn't the right analysis. First of all, all packages built by RPM5 have an included pubkey that is used to verify the package signature produced by rpmbuild. Second, even if you have clobbered the rpmbuild signature by resigning *.rpm packages, there is exactly one retrieval per-pubkey from either an rpmdb or (if configured) an hkp:// server. Third, why are there 30+ rpm invocations running? That likely should be fixed in whatever is triggering + rpm invocations. Meanwhile, Berkeley DB should *easily* handle 30+ concurrent pubkey retrievals. Of course opening an rpmdb is not exactly a lightweight operation, but the solution there is performance related, change whatever is invoking rpm 30+ times, likely by using the command line arguments intelligently. > > Subject: [PATCH] system.h/query.c: support nosignature > > * Define SUPPORT_NOSIGNATURES to 1 in system.h > * !QVA_ISSET(qva->qva_flags, SIGNATURE) -> QVA_ISSET(qva->qva_flags, > SIGNATURE), > otherwise, when use --nosignature would read database and verify > signature, this is not expected. > > Upstream-Status: Pending > > Signed-off-by: Robert Yang <liezhi.y...@windriver.com> > --- > lib/query.c | 6 +++--- > system.h | 4 ++-- > 2 files changed, 5 insertions(+), 5 deletions(-) > > diff --git a/lib/query.c b/lib/query.c > index 50a7453..b761d76 100644 > --- a/lib/query.c > +++ b/lib/query.c > @@ -954,19 +954,19 @@ JBJDEBUG((stderr, "--> %s(%p,%p,%p)\n", __FUNCTION__, > ts, qva, argv)); > vsflags = (rpmVSFlags) rpmExpandNumeric("%{?_vsflags_query}"); > vsflags = (rpmVSFlags) 0; /* XXX FIXME: ignore default disablers. */ > #if defined(SUPPORT_NOSIGNATURES) > - if (!QVA_ISSET(qva->qva_flags, DIGEST)) { > + if (QVA_ISSET(qva->qva_flags, DIGEST)) { > VSF_SET(vsflags, NOSHA1HEADER); > VSF_SET(vsflags, NOMD5HEADER); > VSF_SET(vsflags, NOSHA1); > VSF_SET(vsflags, NOMD5); > } > - if (!QVA_ISSET(qva->qva_flags, SIGNATURE)) { > + if (QVA_ISSET(qva->qva_flags, SIGNATURE)) { > VSF_SET(vsflags, NODSAHEADER); > VSF_SET(vsflags, NORSAHEADER); > VSF_SET(vsflags, NODSA); > VSF_SET(vsflags, NORSA); > } > - if (!QVA_ISSET(qva->qva_flags, HDRCHK)) { > + if (QVA_ISSET(qva->qva_flags, HDRCHK)) { > VSF_SET(vsflags, NOHDRCHK); > } > VSF_CLR(vsflags, NEEDPAYLOAD); /* XXX needed? */ Hmmm ... why was the above needed? Note that --verify flags are the negation of --query flags, that might explain why you are patching inverted logic into --query. OTOH, its possible that I screwed the logic with triple negation and masking on two modes of operation, wouldn't be the first time if so. Meanwhile the code above has been "Known Good" for more than a decade, so I'm not sure why this patch is needed. > diff --git a/system.h b/system.h > index 2ff8906..ad4619a 100644 > --- a/system.h > +++ b/system.h > @@ -787,9 +787,9 @@ static inline const char *rcsid(const char *p) { > #define SUPPORT_I18NSTRING_TYPE 1 > > /** > - * Eliminate signature/digest disablers. > + * Signature/digest disablers. > */ > -#undef SUPPORT_NOSIGNATURES > +#define SUPPORT_NOSIGNATURES 1 > > /** > * Permit ar(1) payloads. Disabled while rpmio/iosm.c is under development. > Note that all the code marked with "SUPPORT_NOSIGNATURES" is targeted for removal. RPM5 has been producing MANDATORY signed packages for more than 5 years, so all packages produced by RPM5 SHOULD have both verifiable signatures/pubkeys included for many years now. The "fix" for @rpm.org packages (which may not be signed) is the obvious rpm --addsign *.rpm when/where needed. Your alternative (of course) is to re-patch rpm to re-add --nosignatures as you wish: I will be happy to send you the needed patch when I remove all the SUPPORT_NOSIGNATURES code. hth 73 de Jeff ______________________________________________________________________ RPM Package Manager http://rpm5.org Developer Communication List rpm-devel@rpm5.org