Bug 261555 - 410.pkg-audit: suggested patch to improve expiry by handling anticongestion delay better
Summary: 410.pkg-audit: suggested patch to improve expiry by handling anticongestion d...
Status: Closed Not A Bug
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: freebsd-ports-bugs (Nobody)
URL:
Keywords: performance
Depends on:
Blocks:
 
Reported: 2022-01-29 15:23 UTC by wbe
Modified: 2023-12-18 16:54 UTC (History)
0 users

See Also:


Attachments
suggested patch to make expiry handle anticongestion delay better (832 bytes, patch)
2022-01-29 15:23 UTC, wbe
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description wbe 2022-01-29 15:23:38 UTC
Created attachment 231429 [details]
suggested patch to make expiry handle anticongestion delay better

In 410.pkg-audit, ${security_status_pkgaudit_expiry} is clearly trying to be how often the test is run, in days (e.g., 2).  vuln.xml gets written after the up-to-60 minute anticongestion sleep time on the day it is fetched.  Current code uses a fixed 10 minute grace period.  Since that's less than the up-to-60 minute anticongestion sleep time, the result is that differences of N days minus (11+ minutes) results in (N+1) days between fetches.

The patch uses ${anticongestion_sleeptime} instead of 600 and improves the comment.
Comment 1 wbe 2023-11-28 16:15:09 UTC
This patch may not be needed for FreeBSD 14.

Although my cursory scan of crontab and periodic tables didn't find who's doing it, with 14.0, I'm seeing vuln.xml consistently fetched at 00:30 on the days it's fetched.  If you're eliminating anticongestion by fetching vuln.xml at a consistent time separately from the vulnerability scan at 03:02 - 04:01 as was the case in 13.2 and earlier, then obviously no anticongestion accommodation is needed.

However, if load on your servers is an issue, the patch + fetching at a variable (anticongestion) time later (when periodic runs the security tests) may be better for getting the #days between fetches right than the new method of always fetching at 00:30.
 -WBE
Comment 2 wbe 2023-11-30 09:05:52 UTC
OK... I now have my first example in 14.0 of vuln.xml NOT being fetched at 00:30, so you do still have an anticongestion delay.

With this new information, I see at least 3 options:
1) If you use my patch, you don't need this new, separate
   "fetch vuln.xml hours earlier" job; you can go back to fetching it when
   the security test is run;
2) Keep the fetch-hours-earlier job, in which case you don't need my patch,
   nor do you need the +600 (10 minute) margin in 410.pkg-audit, and if
   you're doing all the anticongestion fetches earlier, maybe you can
   eliminate doing the anticongestion delay again at 3 AM;
3) Ignoring my patch and doing nothing works, too, but leaves future
   programmers to wonder why there's a 10 minute delay in the code.
 -WBE
Comment 3 wbe 2023-12-18 16:53:04 UTC
Having now seen that vuln.xml is fetched entirely differently in 14.0,
this proposed patch is NOT appropriate for 14.0.  It would help some
in 13.2 and earlier.  Doing nothing is an acceptable option, so I'm
going to try to close this bug report.