You are not logged in.

#1 2021-04-19 15:37:09

sharethewisdom
Member
Registered: 2014-09-22
Posts: 60

limiting signature verification CPU time

When I'm out on public wifi with my laptop I frequently update my system. I don't have web access at home.

I want to download packages automatically, and then install them shortly after when I'm back home. But pacman's signature checking doesn't play nice on the CPU. It freezes Firefox or whatever else I'm using. Also, I fear that it drains the battery in ways are not good for it.

I first made a script in /etc/netctl/interfaces that spawned a subshell in the background. I used /usr/bin/nice on pacman. For my current experiment I use a systemd timer, but I'm not sure when it will be triggered if I'm online, and I don't know how to make use of dbus session notifications from systemd. The unit currently runs a script that basically runs pacman -Syuw --noconfirm and the script notifies me of errors and updates through systembus-notify.

Alternatively, ... is it a good idea to set SigLevel=Never and LocalFileSigLevel=Required on all of the remote online repos in a seperate configuration file?

Then I would run:

  • pacman --config /etc/pacman-check-sigs-later.conf -Syuw --noconfirm from the unit

  • and when I'm back home: while read pkg; do pacman --config /etc/pacman-check-sigs-later.conf -U $pkg; done < /tmp/new-packages

The point of a unit timer was to more easily use cgroups, and schedule the invocation. I'd like to also know if this "10%" limit is reasonable (no idea, hard to test).

# /etc/systemd/system/pacman.slice
[Slice]
# persistent limit
CPUQuota=10%
MemorySwapMax=0

I'm sorry for not asking a more specific question: how would you solve this problem?

Last edited by sharethewisdom (2021-04-19 20:06:28)

Offline

#2 2021-04-20 00:40:20

Allan
Pacman
From: Brisbane, AU
Registered: 2007-06-09
Posts: 11,365
Website

Re: limiting signature verification CPU time

So...  not a solution, but:

pacman -Syuw --noconfirm --gpgdir=/dev/null

Then just "pacman -Su" when ready to update.

Note, if you "pacman -S <pkg>" before doing a -Su, you could end up with a partial upgrade which can leave you in a world of pain.

Offline

#3 2021-04-22 04:43:21

eschwartz
Fellow
Registered: 2014-08-08
Posts: 4,097

Re: limiting signature verification CPU time

The "checkupdates" script in pacman-contrib supports a mode to safely download updates to the cache without running afoul of partial updates. You could tweak it to use a pacman.conf that disables PGP checks.

Another option is doing *no* checks, but using pacman -Sup --dbpath=/tmp/checkup-db-*/ to print the URL of each package, doing a very quick sed to eliminate the ones that start with file:// and then wget them yourself, no PGP checks and not even any checksum checks.

OTOH if you don't have web access at home *at all* then you cannot -Syu... to protect yourself from inadvertent partial updates, unless you set up some fancy mirroring of the repository databases and then when you get home you -Syu using a file:/// mirror url.
The simple solution is to just use a second conf file disabling signature checking, and be careful to not do "get_updates_via_wifi" && pacman -S newpkg.


Managing AUR repos The Right Way -- aurpublish (now a standalone tool)

Offline

Board footer

Powered by FluxBB