From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on sa.local.altlinux.org X-Spam-Level: X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=unavailable autolearn_force=no version=3.4.1 Date: Sat, 11 Apr 2020 13:36:31 +0300 From: Andrey Savchenko To: ALT Linux Team development discussions Message-Id: <20200411133631.daac861f97979c67511cf3ef@altlinux.org> In-Reply-To: <20200410231044.1436970-1-vseleznv@altlinux.org> References: <20200410231044.1436970-1-vseleznv@altlinux.org> X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.32; i686-pc-linux-gnu) Mime-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="PGP-SHA512"; boundary="Signature=_Sat__11_Apr_2020_13_36_32_+0300_Y5oqDYJN0+jMyrD9" Subject: Re: [devel] RFC: girar: optimize rebuild X-BeenThere: devel@lists.altlinux.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: ALT Linux Team development discussions List-Id: ALT Linux Team development discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Apr 2020 10:36:48 -0000 Archived-At: List-Archive: List-Post: --Signature=_Sat__11_Apr_2020_13_36_32_+0300_Y5oqDYJN0+jMyrD9 Content-Type: text/plain; charset=UTF-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, 11 Apr 2020 02:10:42 +0300 Vladimir D. Seleznev wrote: >=20 > Hi! >=20 > The first part of rebuilt packages optimization for girar. It introduces > pkg_identity() and simple optimization of the rebuilt sourcerpm. >=20 > pkg_identity() takes RPM package and returns a value called package ident= ity, > a hash of subset of RPM package header. That subset is the entire header > without some nonessential artifacts like buildhost, buildtime, header has= hsum, > etc. >=20 > The two package builds of the same NEVR might have equal or different > package identities. The equal identities mean that build results of these > packages are equal too, that allows build optimization. The practical > example of simple rebuilt sourcerpm optimization also introduced. >=20 > The future work can be about optimization of "copied" to another branch > sourcerpm with retrieved from archive sourcerpm, and binary packages > optimization (this case has an issue when binary subpackages are mixed > archs, i.e. arch and noarch, this probably could work only with single-ar= ch > builds). >=20 > Please review and discuss. I see two problems with proposed approach: 1) It assumes there will be not pkg_identity hash collisions. This is wrong. They may occur sooner or later and the code *must* correctly deal with such collisions. Remember what happened to subversion when collision occurred in a repository, while git was resilient. The way proposal is now the identity hash collision will lead to undergraded repository at best and broken at worst. I see no easy way to fix this problem, but it must be either fixed or proposed optimization rejected. 2) The hash function choise =E2=80=94 sha256 =C2=AD=E2=80=94 is very unfort= unate: it has longer digest than sha1, but otherwise is vulnerable to the same attack; so right now it is still marginally secure, but it will not last long. Moreover sha256 is quite slow. It is better to use newer generation of hash functions, e.g. blake2b based on the chacha stream cipher. It is more future proof and faster at the same time. You can just use the b2sum implementation from the GNU coreutils. Best regards, Andrew Savchenko --Signature=_Sat__11_Apr_2020_13_36_32_+0300_Y5oqDYJN0+jMyrD9 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE63ZIHsdeM+1XgNer9lNaM7oe5I0FAl6RnbAACgkQ9lNaM7oe 5I1o+Q/9GcQi4zYNCu/A6/L8WCbbDjlwN2sFEUVK5elnBhK3Z5S5UGf1C9Ppr7EI /K6j5M0BvwwJAYkLoQR6+xW5TNv82Smes0m4zUEy0pVCq5lnlJFd0D+xFg15CdXb hOe3Q0UtQKs6BvN0manYEBe5C9B1jlpzuQTyVkYVoX9JH2UIIWuc9e6yvBuwB8vf EKXXCP4/VdBfvFjaxQGbYdDrRuzpLmaDTP8iBkT0tbw8u+U4TFMADgn2DH1eGZoR yx/EgDBmxpbpEYrDJRBV3ZLjrmwwsdvSTbECm1vc3a1pFNbmf8clF33bkB5jN+Jn lAiF2LEvyFlDrXya1HGW3lkifOnqLYIGwlpUZselkChqQ6zkDc9DyIh68JACwE31 cWBw9Kccv6CFzr9O9/hJiLez0Fph6w5eJxPNLXdeJr1J409hforP8D6zD/nwMkq8 ikS6QBBNRtXmCoQuRqq2rNyxNDik+qvqdizmR4QKYerzMddmMBETVHoKOrv2uf/2 8b1M0tlpLrl+FDfqOSAUcLq9BOrztqJUQCeRn6EizQm3KCJ6qVVVFtlXlSULt6PP GXfRsvPCYA5XVYZJ5iQjxJR/Hd6Eq8d4sZvoVl/Vj0UoulH4o2792de8BBCE0VdC XPcQrtr433hz9fouSLyFmIqErTInfltYQDRuyVVAZo6YQChb9k8= =hU8b -----END PGP SIGNATURE----- --Signature=_Sat__11_Apr_2020_13_36_32_+0300_Y5oqDYJN0+jMyrD9--