profiles: slsa: Remove quadratic complexity in SRC_URI iteration

SLSA provenance generation iterates over $A (which is a subset of $SRC_URI) and
for each of those tries to find a match in $SRC_URI. That's quadratic
complexity, and the performance impact is bad because we shell out to a helper
utility (basename) for every entry. This is leading to long stalls when
generating SLSA for packages with long distfile lists, like go and rust
packages. Iterate over SRC_URI once and create a dictionary to speed up
subsequent lookups. dev-db/etcdctl is a good candidate for testing.

Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>

sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc.slsa-provenance

@@ -133,35 +133,35 @@ __slsa_provenance_resolved_dependencies() {
         # There can be multiple, and can be used conditionally based on use flags,
         #  and even replaced with different local names ("http://... -> othername.tgz"). So
         #  we go through what's actually used ($A), then find the corresponding source URI.
-        local src prev_uri rename orig_name found
+        declare -A uri_dict=() uri_orig_names=()
-        for src in ${A}; do
+        local prev_uri='' rename='' base_name prev_base_name
-            found=
+        for uri in ${SRC_URI}; do
+            if [[ ${uri} = '->' ]] ; then
+                rename=x
+                continue
+            fi
+            base_name=$(basename "${uri}")
+            uri_orig_names["${uri}"]=${base_name}
+            if [[ -n ${rename} ]] ; then
+                unset "uri_dict[${prev_base_name}]"
+                uri=${prev_uri}
+            fi
+            uri_dict["${base_name}"]=${uri}
             rename=
-            prev_uri=''
+            prev_uri=${uri}
-            orig_name=''
+            prev_base_name=${base_name}
-            for uri in ${SRC_URI}; do
+        done
-                if [[ ${uri} = '->' ]] ; then
+        local src orig_name
-                    rename=x
+        for src in ${A}; do
-                    continue
+            uri=${uri_dict["${src}"]:-}
-                fi
+            if [[ -z ${uri} ]] ; then
-                if [[ ${src} = "$(basename "${uri}")" ]] ; then
-                    orig_name=${src}
-                    if [[ -n ${rename} ]] ; then
-                        uri=${prev_uri}
-                        orig_name=$(basename "${uri}")
-                    fi
-                    einfo "    Provenance: recording tarball material (input) '${src}' ('${orig_name}')"
-                    csum=$(sha512sum "${DISTDIR}/${src}")
-                    csum=${csum%% *}
-                    __slsa_rd_printf "${uri}" 'sha512' "${csum}"
-                    found=x
-                fi
-                rename=
-                prev_uri=${uri}
-            done
-            if [[ -z ${found} ]] ; then
                 die "No SRC_URI found for source '${src}', unable to record provenance!"
             fi
+            orig_name=${uri_orig_names["${uri}"]}
+            einfo "    Provenance: recording tarball material (input) '${src}' ('${orig_name}')"
+            csum=$(sha512sum "${DISTDIR}/${src}")
+            csum=${csum%% *}
+            __slsa_rd_printf "${uri}" 'sha512' "${csum}"
         done
     elif [[ -n ${EGIT_REPO_URI:-} ]] ; then
         # package is built from repo checkout (git)