When Rekor v2 support was added we felt multi-threading was needed (since otherwise signing multiple artifacts takes forever). As a result, the client now overuses connections when lots of artifacts are signed (because I was unsure about the state of requests Session thread-safety). The plan was to revisit this after #1653.
However, I'm now seeing some issues in a multi-artifact use case where we end up using more connections than is allowed on the host environment... and I have a fairly simple solution:
- bring back Session re-use
- but make the Session thread-local
this way even if there is some unknown thread safety issue, we won't see it. If someone promises that Session is safe (or we use urllib3 directly) it will be easy to just drop threading.local()
I will take a look next week
When Rekor v2 support was added we felt multi-threading was needed (since otherwise signing multiple artifacts takes forever). As a result, the client now overuses connections when lots of artifacts are signed (because I was unsure about the state of requests Session thread-safety). The plan was to revisit this after #1653.
However, I'm now seeing some issues in a multi-artifact use case where we end up using more connections than is allowed on the host environment... and I have a fairly simple solution:
this way even if there is some unknown thread safety issue, we won't see it. If someone promises that Session is safe (or we use urllib3 directly) it will be easy to just drop threading.local()
I will take a look next week