Received: from mx.nixnet.email (mx.nixnet.email [5.161.67.119])
	by gbr-app-1.alpinelinux.org (Postfix) with ESMTPS id 5100D224119
	for <~alpine/apk-tools@lists.alpinelinux.org>; Sat, 16 Nov 2024 23:12:22 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
	by mx.nixnet.email (Postfix) with ESMTPSA id 3571D7D3A8;
	Sun, 17 Nov 2024 00:12:20 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pwned.life; s=202002021149;
	t=1731798740;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=588qXUfS2vcEL/ZkHr5xLro7dM0mEtorf977lOXAjnc=;
	b=jfHbnyjF38XOfIlKYcEL05yTV6SyR9s4hLogRkHrofTK2oTG0gPE2Y6ePcvOjghCOa8jjI
	qYDsyBXPBSlLFxVlLzTmwWT87LmPUW1bMoP1VBPUd/SSoLRC5oEhXd9JqHch5eCUH1ibE2
	4tlDyGb3nmREYWiO3EroGMRGr9IXe1M=
Mime-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset=UTF-8
Date: Sun, 17 Nov 2024 00:12:18 +0100
Message-Id: <D5NZF1KHEW81.3QWEZ3W9MZ4HC@pwned.life>
From: "fossdd" <fossdd@pwned.life>
To: "Guilherme Macedo" <guilherme@gmacedo.com>
Cc: <~alpine/apk-tools@lists.alpinelinux.org>
Subject: Re: Question about secfixes in APKBUILD
X-Greeting: Hi mom! Look, I'm in somebodys mail client!
X-Mailer: aerc 0.18.2-0-ge037c095a049
References: <20241116073528.75a751c2@gmacedo.com>
 <D5NKU9M4QM1I.2IG6Z8D6S6EW4@pwned.life>
 <20241116090137.5bde56ea@gmacedo.com>
In-Reply-To: <20241116090137.5bde56ea@gmacedo.com>

On Sat Nov 16, 2024 at 1:01 PM CET, Guilherme Macedo wrote:
> On Sat, 16 Nov 2024 12:46:55 +0100
> "fossdd" <fossdd@pwned.life> wrote:
>
> > On Sat Nov 16, 2024 at 11:35 AM CET, Guilherme Macedo wrote:
> > > Hey list.
> > >
> > > I've a question about the secfixes comments in the APKBUILD spec.
> > > Do I understand right that all false-positives CVEs (the CVEs not
> > > affecting a package) in Alpine are listed with the version as "0"?
> > >
> > > Examples:
> > > - https://gitlab.alpinelinux.org/alpine/aports/-/blob/master/main/ope=
nssh/APKBUILD#L88-89
> > > - https://gitlab.alpinelinux.org/alpine/aports/-/blob/master/main/ope=
nssl/APKBUILD#L113-118 =20
> >=20
> > Yes, it has become somewhat a norm to mark them as 0. However the
> > right place for such false-positives is
> > at https://gitlab.alpinelinux.org/alpine/security/security-rejections
> >=20
>
> Thanks for the explanation and for pointing to the rejections repo. I
> wasn't aware of it. It seems, unfortunately, that it's not in sync with
> the ones marked in the individual APKBUILDs.
>
> Do you know if there is any effort or plans to build automation around
> this to keep them in sync?

Yeah, i guess some developers prefer the 0-method more than the other,
since it's easier to add. I don't think that someone plans to merge
them anytime soon.

>
> > >
> > > I tried to look for this in the docs, but couldn't find a note about
> > > this. Apologies in case I missed it.
> > >
> > > Thanks in advance,
> > > Guilherme =20
> >=20