Hi Danny, Danny Milosavljevic skribis: > On Thu, 08 Feb 2018 14:37:58 +0100 > ludo@gnu.org (Ludovic Courtès) wrote: >> We’re making progress! :-) > > Nice! I'm still checking a few loose ends but I think we're pretty okay now > from a security standpoint - except for db-get-builds, which I'm amending > right now. Oh sorry, I think I did the same thing as you were sending this message: https://git.savannah.gnu.org/cgit/guix/guix-cuirass.git/commit/?id=8c7c93922bbe0513ff4c4ff3a6e554e3a72635b6 WDYT? > Also, I'd like to get the number of distinct SQL statements down, so I'll > propose another patch on guix-patches to do that. Excellent. > Also, I think sqlite-exec shouldn't call sqlite-finalize most of the time - > otherwise the cached statement will be lost :P Indeed! Should we change ‘sqlite-finalize’ to a noop when called on a cached statement? (Otherwise users would have to keep track of whether or not a statement is cached.) Besides, on the big database on berlin, the initial: (db-get-builds db '((status pending))) call takes a lot of time and memory. I guess we’re doing something wrong, but I’m not sure what. The same query in the ‘sqlite3’ CLI is snappy and does not consume much memory. One of the things we’re doing wrong is that ‘Outputs’ table: each ‘db-format-build’ call triggers a lookup in that table. We should instead probably simply store output lists in the ‘Derivations’ table. Thoughts? Which also means we should have schema versioning and a way to upgrade… > I've also reintroduced sqlite-bind-args in a nicer version, please pull: > https://notabug.org/civodul/guile-sqlite3/pulls/3 . It is OK with you to write it like this: