Received: from out-06.pe-a.jellyfish.systems (out-06.pe-a.jellyfish.systems [198.54.127.66])
	by gbr-app-1.alpinelinux.org (Postfix) with ESMTPS id 52416225A8A
	for <~alpine/apk-tools@lists.alpinelinux.org>; Sat, 16 Nov 2024 12:01:48 +0000 (UTC)
Received: from prod-lbout-phx.jellyfish.systems (new-01-3.privateemail.com [66.29.159.56])
	by pe-a.jellyfish.systems (Postfix) with ESMTPA id 4XrCD92SSKz4wWb;
	Sat, 16 Nov 2024 12:01:45 +0000 (UTC)
Received: from MTA-09.privateemail.com (unknown [10.50.14.19])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits))
	(No client certificate requested)
	by NEW-01-3.privateemail.com (Postfix) with ESMTPS id 4XrCD74glYz2Smfg;
	Sat, 16 Nov 2024 07:01:43 -0500 (EST)
Received: from mta-09.privateemail.com (localhost [127.0.0.1])
	by mta-09.privateemail.com (Postfix) with ESMTP id 4XrCD7380Rz3hhZL;
	Sat, 16 Nov 2024 07:01:43 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=gmacedo.com;
	s=default; t=1731758503;
	bh=YahzQzmE5baTs4q7AjpwUhD2XScCfbLfbMltZ4dj/dY=;
	h=Date:From:To:Cc:Subject:In-Reply-To:References:From;
	b=s8C1YR52Otz8FXI5xyBsnGiPK8dsEEYfUivpfA7DuwuSMsyRf6c2UioRACjupy945
	 UT3ZbegU5KLbLBFdQxqSlc/YPpUEPewRf70DD9fx6rg27lBZs7QggdXc7GUFNIHVjw
	 UI43OUsg3jU6626TZ2X/ZnUhONUCHwh7ClLTQTOr/EjJiLX4l5ffW4Qkbhan2vqSMQ
	 XHAfL1pMIGadVakBIwDBhkcgRcRyCjxPT0AQH/wbZ5wmiH0JH2AFOLBWtE+2QOjHy6
	 l8s4L5WqOYNAckUO0MNVub11dSVfGeklCzkREYLoSyb1Nvkg54zzZyRYmoW9Amm23w
	 fy2BSWcoXOsJw==
Received: from localhost (177-104-97-144.bommtempo.inf.br [177.104.97.144])
	by mta-09.privateemail.com (Postfix) with ESMTPA;
	Sat, 16 Nov 2024 07:01:41 -0500 (EST)
Date: Sat, 16 Nov 2024 09:01:37 -0300
From: Guilherme Macedo <guilherme@gmacedo.com>
To: "fossdd" <fossdd@pwned.life>
Cc: <~alpine/apk-tools@lists.alpinelinux.org>
Subject: Re: Question about secfixes in APKBUILD
Message-ID: <20241116090137.5bde56ea@gmacedo.com>
In-Reply-To: <D5NKU9M4QM1I.2IG6Z8D6S6EW4@pwned.life>
References: <20241116073528.75a751c2@gmacedo.com>
	<D5NKU9M4QM1I.2IG6Z8D6S6EW4@pwned.life>
X-Mailer: Claws Mail 4.3.0 (GTK 3.24.43; x86_64-suse-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: ClamAV using ClamSMTP

On Sat, 16 Nov 2024 12:46:55 +0100
"fossdd" <fossdd@pwned.life> wrote:

> On Sat Nov 16, 2024 at 11:35 AM CET, Guilherme Macedo wrote:
> > Hey list.
> >
> > I've a question about the secfixes comments in the APKBUILD spec.
> > Do I understand right that all false-positives CVEs (the CVEs not
> > affecting a package) in Alpine are listed with the version as "0"?
> >
> > Examples:
> > - https://gitlab.alpinelinux.org/alpine/aports/-/blob/master/main/openssh/APKBUILD#L88-89
> > - https://gitlab.alpinelinux.org/alpine/aports/-/blob/master/main/openssl/APKBUILD#L113-118  
> 
> Yes, it has become somewhat a norm to mark them as 0. However the
> right place for such false-positives is
> at https://gitlab.alpinelinux.org/alpine/security/security-rejections
> 

Thanks for the explanation and for pointing to the rejections repo. I
wasn't aware of it. It seems, unfortunately, that it's not in sync with
the ones marked in the individual APKBUILDs.

Do you know if there is any effort or plans to build automation around
this to keep them in sync?

> >
> > I tried to look for this in the docs, but couldn't find a note about
> > this. Apologies in case I missed it.
> >
> > Thanks in advance,
> > Guilherme  
>