Skip to content

Update: 2016 08 18

Jump to bottom Edit New page
Todd Gamblin edited this page Aug 18, 2016 · 8 revisions

Update

No telcon today, just some updates and follow-ups on discussion items from last week.

We'll resume August 25, and can discuss these updates then.

News

  1. Users experiencing slowness with issues with large Spack installations.
  • Fix in #1535 speeds things up 40x.
  • A few bugs remain; should be mergable soon.

  1. Currently working on a number of bug fixes for prominent bugs (see the issues)

  2. Binary packaging security

  • Last week we talked about ways to secure binary caches of packages.
    • This would speed up many installations but would require:
      • Hosting the binaries somewhere.
      • Scalable solution for checking that a package is secure.
  • Todd followed up with LLNL folks and the verdict is:
    1. LLNL is ok w/ the idea of hosting binaries and signed hashes (similar to Debian's scheme)
      • We wouldn't sign the binaries -- we would just sign the mapping from spack's hash -> binary checksum.
    2. We should use SHA-2 (SHA-256) for binary checksums.
    3. LLNL would need to register its GPG key and institution would need to manage it.
      • other sites can also have GPG keys for signing hashes.
      • Spack could ship with GPG keys from LLNL and other institutions that can sign.
        • trust has to be per-key and only LLNL trust should be enabled by default, but trusting others automatically can be enabled through configuration.
  1. Fetching via OpenSSL vs. just using checksums.
  • Also followed up with others about security. Version:
    • Spack should update to use SHA-2 to verify downloads, instead of MD5.
      • Recommend starting to move packages to SHA-2, deprecate MD5
    • Using checksums is more secure than trusting SSL cert of remote site.
      • Move most downloads to fetch over basic http without SSL.
      • Rely on SHA-2 to verify downloads, reduce SSL configuration issues.
  1. Some progress is being made with Cray on establishing what might constitute a "reproducible" environment on their machines
  • still machine/site-dependent, but we are working on getting the current state of things documented for NERSC, ORNL, NCSA, and LANL environments.
Add a custom footer
Clone this wiki locally