Closed jaimergp closed 2 months ago
Yeah, those logs were added because the signature verification was recently added in mamba
, but I agree that this is too much...
I will send a PR to fix this. Thanks for reporting :)
And IINM, the signature verification is only happening for the requested packages when enabling the verify-artifacts
flag.
In v2beta3 I'm seeing millions of lines like these in the CI logs:
I think it's printing one for each record found in the repodata, which I feel it's a bit too much. I wonder if we really need those? Maybe a summary would be enough: "Added XXXX package records to repo YYY. ZZZ/XXX are not signed and will be downloaded without verification".
This makes me wonder as well whether signature verification is happening for the whole repodata. This might be too much of an overhead, specially if we consider that we only need to verify the records that are part of the solution. Is it reasonable to defer?