Skip to content

Add postponed CVE issues reprocessing research#235

Merged
majamassarini merged 4 commits into
packit:mainfrom
majamassarini:postponed-issues
Jun 30, 2026
Merged

Add postponed CVE issues reprocessing research#235
majamassarini merged 4 commits into
packit:mainfrom
majamassarini:postponed-issues

Conversation

@majamassarini

Copy link
Copy Markdown
Member

Document mechanism for periodically reprocessing postponed CVE issues in Ymir. Includes 3-phase implementation approach: basic sweeps, backoff optimization with Redis, and follow-up improvements.

Document mechanism for periodically reprocessing postponed CVE issues
in Ymir. Includes 3-phase implementation approach: basic sweeps,
backoff optimization with Redis, and follow-up improvements.

@lbarcziova lbarcziova left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks for a comprehensive research, looking forward to start working on this!

Comment on lines +19 to +20
- `ymir_postponed_no_patch` — no upstream patch found yet
- `ymir_postponed_pr_pending` — patch identified but not yet merged

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm wondering if we should treat this the same, in case the pending PR would get closed and other approach would be chosen.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

agreed, sounds like we should do a full triage once we are unblocked

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree the unblock action will be the same, however I would keep them separate because ymir_postponed_no_patch requires a full re-triage every time we check it, so I would re-run it less frequently.
The ymir_postponed_pr_pending, instead, needs a github/gitlab check - to verify if the PR (which will be linked in the issue by the triage agent) has been approved, so we can run it more frequently. If the PR has been merged then we can invoke the triage agent again.

And yes, I agree that if PR is closed then we should consider falling back to triage.


## Sweep Types and Timing

### 1. Dependency CVE Sweep

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

for this one, we actually added the check if the new build is present in compose, I think we should be checking also that one now (if fixed in build is set), could you please re-consider it with that? Should be just different programmatic check


## Backoff Optimization with Redis (Optional - Phase 2)

**Why backoff is needed:** Without backoff, all postponed issues are checked on every sweep, even if recently verified as still blocked. This wastes API calls and agent tokens, especially for issues blocked for weeks.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not fully convinced the backoff is necessary/wanted here, I think with most of these there is not much predictability on when we get unblcoked. For the expensive case (rerunning the triage agent) a longer fixed interval would be simpler. But open to discussion. Definitely would start with phase 1 only as you propose!

Comment on lines +19 to +20
- `ymir_postponed_no_patch` — no upstream patch found yet
- `ymir_postponed_pr_pending` — patch identified but not yet merged

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

agreed, sounds like we should do a full triage once we are unblocked

- Time-to-unblock (how long issues stay postponed)
- Backoff behavior (attempt count distribution)

### Redis Metrics (Optional - Phase 2 only)

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

really love this part that we'll be able to measure these issues and act based on real data

majamassarini and others added 2 commits June 29, 2026 15:38
- Add note that PR pending issues should re-triage from scratch if PR gets closed
- Update Y-stream sweep to check build in buildroot using check_build_in_buildroot()
- Clarify all postponed categories trigger full re-triage when unblocked (not just push to queue)
- Acknowledge backoff is optional, fixed intervals may be simpler given unpredictability

Assisted-by: Claude Sonnet 4.5 (1M context) <noreply@anthropic.com>
Comment thread research/postponed-issues-reprocessing/index.md
- Add note that PR pending issues should re-triage from scratch if PR gets closed
- Update Y-stream sweep to check build in buildroot using check_build_in_buildroot()
- Clarify all postponed categories trigger full re-triage when unblocked (not just push to queue)
- Acknowledge backoff is optional, fixed intervals may be simpler given unpredictability

Assisted-by: Claude Sonnet 4.5 (1M context) <noreply@anthropic.com>
@majamassarini majamassarini added this pull request to the merge queue Jun 30, 2026
Merged via the queue into packit:main with commit 105e201 Jun 30, 2026
3 checks passed
@github-project-automation github-project-automation Bot moved this from New to Done in Packit pull requests Jun 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Development

Successfully merging this pull request may close these issues.

4 participants