Received: from out-06.pe-a.jellyfish.systems (out-06.pe-a.jellyfish.systems [198.54.127.66]) by gbr-app-1.alpinelinux.org (Postfix) with ESMTPS id AC88B225A86 for <~alpine/apk-tools@lists.alpinelinux.org>; Sat, 16 Nov 2024 10:35:36 +0000 (UTC) Received: from prod-lbout-phx.jellyfish.systems (new-01-3.privateemail.com [66.29.159.56]) by pe-a.jellyfish.systems (Postfix) with ESMTPA id 4Xr9Jk2Hwkz4wWd for <~alpine/apk-tools@lists.alpinelinux.org>; Sat, 16 Nov 2024 10:35:34 +0000 (UTC) Received: from MTA-10-1.privateemail.com (unknown [10.50.14.20]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by NEW-01-3.privateemail.com (Postfix) with ESMTPS id 4Xr9Jk1lKKz2Sd0Q for <~alpine/apk-tools@lists.alpinelinux.org>; Sat, 16 Nov 2024 05:35:34 -0500 (EST) Received: from mta-10.privateemail.com (localhost [127.0.0.1]) by mta-10.privateemail.com (Postfix) with ESMTP id 4Xr9Jk0WlLz3hhVG for <~alpine/apk-tools@lists.alpinelinux.org>; Sat, 16 Nov 2024 05:35:34 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=gmacedo.com; s=default; t=1731753334; bh=kC0mxKIWGMTWOGFxR2BQ0ENRmDkMKu+IUIBy0DK3KQI=; h=Date:From:To:Subject:From; b=X+kVdtvn5voG7UYRFztAoGWupurBmCN0BYknobhmQZBkX93nqMh3CYI1RzACvpNej sJO0MRv7MS30XHdZUIFz9ExiqEcjLwyGlE0eo7H11n5dR3jDSqdmdAcrXudKlQn1Lg ShJ6Eijk0lS8MQSQM6W1g0VsodOYmkuvg8+RNrHf0pDQ7pSrYB9g1tcb0O0PD0AOmK YiYA8+1SW/3QDSAGOoINp55CR+o8MPtObxu+LpCFv8p8ZTVLsAkWPAtEmvmT4sqo/s nWh8R9eYObxDG/tUA44payulrmO8EYf662zggBQ2SUdvcpT292rJXUaHF/ISaeJq2Q VLvFA/KCSNkNA== Received: from localhost (unknown [177.104.97.144]) by mta-10.privateemail.com (Postfix) with ESMTPA for <~alpine/apk-tools@lists.alpinelinux.org>; Sat, 16 Nov 2024 05:35:33 -0500 (EST) Date: Sat, 16 Nov 2024 07:35:28 -0300 From: Guilherme Macedo To: ~alpine/apk-tools@lists.alpinelinux.org Subject: Question about secfixes in APKBUILD Message-ID: <20241116073528.75a751c2@gmacedo.com> X-Mailer: Claws Mail 4.3.0 (GTK 3.24.43; x86_64-suse-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV using ClamSMTP Hey list. I've a question about the secfixes comments in the APKBUILD spec. Do I understand right that all false-positives CVEs (the CVEs not affecting a package) in Alpine are listed with the version as "0"? Examples: - https://gitlab.alpinelinux.org/alpine/aports/-/blob/master/main/openssh/APKBUILD#L88-89 - https://gitlab.alpinelinux.org/alpine/aports/-/blob/master/main/openssl/APKBUILD#L113-118 I tried to look for this in the docs, but couldn't find a note about this. Apologies in case I missed it. Thanks in advance, Guilherme