Update: 2016 08 18
Todd Gamblin edited this page Aug 18, 2016
·
8 revisions
No telcon today, just some updates and follow-ups on discussion items from last week.
We'll resume August 25, and can discuss these updates then.
- Users experiencing slowness with issues with large Spack installations.
- Fix in #1535 speeds things up 40x.
- A few bugs remain; should be mergable soon.
-
Currently working on a number of bug fixes for prominent bugs (see the issues)
-
Binary packaging security
- Last week we talked about ways to secure binary caches of packages.
- This would speed up many installations but would require:
- Hosting the binaries somewhere.
- Scalable solution for checking that a package is secure.
- This would speed up many installations but would require:
- Todd followed up with LLNL folks and the verdict is:
- LLNL is ok w/ the idea of hosting binaries and signed hashes (similar to Debian's scheme)
- We wouldn't sign the binaries -- we would just sign the mapping from spack's hash -> binary checksum.
- We should use SHA-2 (SHA-256) for binary checksums.
- LLNL would need to register its GPG key and institution would need to manage it.
- other sites can also have GPG keys for signing hashes.
- Spack could ship with GPG keys from LLNL and other institutions that can sign.
- trust has to be per-key and only LLNL trust should be enabled by default, but trusting others automatically can be enabled through configuration.
- LLNL is ok w/ the idea of hosting binaries and signed hashes (similar to Debian's scheme)
- Fetching via OpenSSL vs. just using checksums.
- Also followed up with others about security. Version:
- Spack should update to use SHA-2 to verify downloads, instead of MD5.
- Recommend starting to move packages to SHA-2, deprecate MD5
- Using checksums is more secure than trusting SSL cert of remote site.
- Move most downloads to fetch over basic http without SSL.
- Rely on SHA-2 to verify downloads, reduce SSL configuration issues.
- Spack should update to use SHA-2 to verify downloads, instead of MD5.
- Some progress is being made with Cray on establishing what might constitute a "reproducible" environment on their machines
- still machine/site-dependent, but we are working on getting the current state of things documented for NERSC, ORNL, NCSA, and LANL environments.