This morning portaudit told me I needed to upgrade PHP5 on a few servers. Again, I checked FreshPorts to see if a fix was in. Apparently it was. Unfortunately, it was wrong.
Checking the version of vuln.xml in the ports tree, I found:
$ grep ‘$FreeBSD’ ports/security/vuxml/vuln.xml
$FreeBSD: ports/security/vuxml/vuln.xml,v 1.1416 2007/09/11 19:40:02 remko Exp $
It should have 1.1417.
Checking the processing log of that commit, I can see that the system had trouble fetching the new vuln.txt file via cvsweb. The script tried 5 times to grab the file between 01:50:44 and 01:51:26. That’s not a long period of time.
The issue arises because cvsweb has a direct NFS mount of repoman (the main cvs repository). Thus, if a fetch by FreshPorts fails, well, I don’t know why that happens.
I have a patch that’s been sitting on my development server for a while:
$ cvs di -uN utilities.pm Index: utilities.pm =================================================================== RCS file: /home/repositories/freshports-1/scripts/utilities.pm,v retrieving revision 1.15 diff -u -r1.15 utilities.pm --- utilities.pm 27 Jun 2007 02:40:26 -0000 1.15 +++ utilities.pm 13 Sep 2007 12:21:20 -0000 @@ -68,7 +68,7 @@ my $result = 0; - my $FetchAttempts = 5; + my $FetchAttempts = $FreshPorts::Config::Fetch_Retry_Limit; while ($FetchAttempts) { my $command = "sh $FreshPorts::Config::scriptpath/fetch-cvs-file.sh $URL $DESTDIR \ $SRCDIR $FILE $REVISION $SUFFIX 2>&1"; @@ -89,7 +89,7 @@ Sys::Syslog::syslog('warning', \ "sleeping after fetch failed for ($DESTDIR $SRCDIR $FILE)"); print "fetch failed, sleeping...\n"; - sleep 10; + sleep $FreshPorts::Config::Fetch_Sleep_Time; $FetchAttempts--; } else {
With this patch, I can manually configure the number of fetch retries and the sleep interval between attempts. At present, I’m using this on my development server:
$ grep Fetch config.pm $FreshPorts::Config::Fetch_Retry_Limit = 10; $FreshPorts::Config::Fetch_Sleep_Time = 120;
This strategy will sleep for 2 minutes after a failed fetch. It will attempt to fetch 10 times.
There is another problem here. Why did FreshPorts not error out when the fetch failed? The commit should have been marked as requiring a refresh and the processing of the security/vuxml/vuln.xml file should never have occurred. In which case, I would have noticed the unrefreshed port in the morning, and manually refreshed it, thus triggering the usual vuxml processing.
The problem did not occur on my development server (which has the above code) located in Jupiter, Florida. Nor did it occur on the BETA server in New York City. This may have been a local network issue affecting only the production server (in San Jose).
I’ll move the above patch into production and see if the problem occurs again. I’ll also do some more testing to make sure a port is marked as refresh needed if a fetch failure occurs.