search

mamba-org / mamba

The Fast Cross-Platform Package Manager
https://mamba.readthedocs.io
BSD 3-Clause "New" or "Revised" License
6.79k stars 348 forks source link

Too many debug lines for signature verification #3328

Closed jaimergp closed 2 months ago

jaimergp commented 3 months ago

In v2beta3 I'm seeing millions of lines like these in the CI logs:

debug    libmamba No signatures available for '21cmfast-3.3.1-py310h19eaa8d_0.conda'. Downloading without verifying artifacts.
debug    libmamba Adding package record to repo 21cmfast-3.3.1-py310h19eaa8d_0.conda
debug    libmamba No signatures available for '21cmfast-3.3.1-py310h19eaa8d_1.conda'. Downloading without verifying artifacts.
debug    libmamba Adding package record to repo 21cmfast-3.3.1-py310h19eaa8d_1.conda
debug    libmamba No signatures available for '21cmfast-3.3.1-py311hc701e3d_0.conda'. Downloading without verifying artifacts.
debug    libmamba Adding package record to repo 21cmfast-3.3.1-py311hc701e3d_0.conda
debug    libmamba No signatures available for '21cmfast-3.3.1-py311hc701e3d_1.conda'. Downloading without verifying artifacts.
debug    libmamba Adding package record to repo 21cmfast-3.3.1-py311hc701e3d_1.conda
debug    libmamba No signatures available for '21cmfast-3.3.1-py38h0db86a8_0.conda'. Downloading without verifying artifacts.
debug    libmamba Adding package record to repo 21cmfast-3.3.1-py38h0db86a8_0.conda
debug    libmamba No signatures available for '21cmfast-3.3.1-py38h0db86a8_1.conda'. Downloading without verifying artifacts.
debug    libmamba Adding package record to repo 21cmfast-3.3.1-py38h0db86a8_1.conda
debug    libmamba No signatures available for '21cmfast-3.3.1-py39h72d3284_0.conda'. Downloading without verifying artifacts.
debug    libmamba Adding package record to repo 21cmfast-3.3.1-py39h72d3284_0.conda
debug    libmamba No signatures available for '21cmfast-3.3.1-py39h72d3284_1.conda'. Downloading without verifying artifacts.
debug    libmamba Adding package record to repo 21cmfast-3.3.1-py39h72d3284_1.conda

I think it's printing one for each record found in the repodata, which I feel it's a bit too much. I wonder if we really need those? Maybe a summary would be enough: "Added XXXX package records to repo YYY. ZZZ/XXX are not signed and will be downloaded without verification".

This makes me wonder as well whether signature verification is happening for the whole repodata. This might be too much of an overhead, specially if we consider that we only need to verify the records that are part of the solution. Is it reasonable to defer?

Hind-M commented 3 months ago

Yeah, those logs were added because the signature verification was recently added in mamba, but I agree that this is too much... I will send a PR to fix this. Thanks for reporting :) And IINM, the signature verification is only happening for the requested packages when enabling the verify-artifacts flag.