Received: from mx.nixnet.email (unknown [IPv6:2a01:4ff:f0:2247::1])
	by gbr-app-1.alpinelinux.org (Postfix) with ESMTPS id 8B90C225AA8
	for <~alpine/apk-tools@lists.alpinelinux.org>; Sat, 16 Nov 2024 11:47:00 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
	by mx.nixnet.email (Postfix) with ESMTPSA id 9230B7D3A8;
	Sat, 16 Nov 2024 12:46:57 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pwned.life; s=202002021149;
	t=1731757618;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=0Jo1uuPVbcd7Z2Z+Y77f7acR+59g+cfWP3mS816K1Sk=;
	b=WLs0QwvQiY63DoITs6PjXKH38z/itzY4ZrUFQf1edIQSS17uFJ52raUUqJJYk79i6mRICI
	xDr2ilN+KGwdyjaAe3A2IB8jd5rk07ZtQl6Q3sqKVYSyasxQ6J//Ekr7knAC2BOXbjdUwt
	qCS+qGcQpmMatNBa0siEpPvkTLFMh5E=
Mime-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset=UTF-8
Date: Sat, 16 Nov 2024 12:46:55 +0100
Message-Id: <D5NKU9M4QM1I.2IG6Z8D6S6EW4@pwned.life>
To: "Guilherme Macedo" <guilherme@gmacedo.com>,
 <~alpine/apk-tools@lists.alpinelinux.org>
Subject: Re: Question about secfixes in APKBUILD
From: "fossdd" <fossdd@pwned.life>
X-Greeting: Hi mom! Look, I'm in somebodys mail client!
X-Mailer: aerc 0.18.2-0-ge037c095a049
References: <20241116073528.75a751c2@gmacedo.com>
In-Reply-To: <20241116073528.75a751c2@gmacedo.com>

On Sat Nov 16, 2024 at 11:35 AM CET, Guilherme Macedo wrote:
> Hey list.
>
> I've a question about the secfixes comments in the APKBUILD spec. Do I
> understand right that all false-positives CVEs (the CVEs not
> affecting a package) in Alpine are listed with the version as "0"?
>
> Examples:
> - https://gitlab.alpinelinux.org/alpine/aports/-/blob/master/main/openssh=
/APKBUILD#L88-89
> - https://gitlab.alpinelinux.org/alpine/aports/-/blob/master/main/openssl=
/APKBUILD#L113-118

Yes, it has become somewhat a norm to mark them as 0. However the right pla=
ce for
such false-positives is at https://gitlab.alpinelinux.org/alpine/security/s=
ecurity-rejections

>
> I tried to look for this in the docs, but couldn't find a note about
> this. Apologies in case I missed it.
>
> Thanks in advance,
> Guilherme