root documents are cached locally forever #104
Comments
barabo
added
the
type::bug
jezdez
added
severity::2
|
@jezdez any update on this? This is going to be a blocker for the upcoming changes in the key_mgr. |
|
@bhuwan-agarwal No update, the ticket description didn't say anything about this blocking something, the severity is purely an indicator of the issue quality, doesn't have a direct result in immediate action unless it's requested. |
@bhuwan-agarwal: why would this be a blocker? (There's an argument to be made that we should never roll back a root key deployment, and in any case, there's already a workaround for this issues --- users manually remove the cached |
|
I would assume we would only ever roll forward if there was an issue? |
|
@chenghlee, @jezdez, I think the main thing to clarify is whether conda-content-trust caching the root document locally is the intended behavior or not. In order for a more accurate assessment of this issue, can we answer the following two questions definitively:
|
Checklist
What happened?
When
conda-content-trustis enabled, it attempts to download successive versions ofX.root.jsonfrom the configuredsigning_metadata_url_base(which would behttps://repo.anaconda.cloud/repofor many users), saving them to${CONDA_PREFIX}/etc/X.root.jsonlocally.These cached files never expire! So, in the unlikely events that a root document must be rolled back or was published erroneously, the local copy would be retained - potentially later masking a fixing change.
Also,
conda clean -adoes not remove these files, as suggested in documentation (but I can't seem to find the link to that right now).Conda Info
No response
Conda Config
No response
Conda list
No response
Additional Context
No response
The text was updated successfully, but these errors were encountered: