Received: from sonic306-1.consmr.mail.bf2.yahoo.com (sonic306-1.consmr.mail.bf2.yahoo.com [74.6.132.40])
	by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id D7623782CF6
	for <~alpine/devel@lists.alpinelinux.org>; Thu, 29 Apr 2021 12:40:30 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1619700029; bh=4HsKvLG/ayUdHqztB7Wdq3GvwfJl19R88tF9WDzLC8E=; h=Date:From:To:In-Reply-To:References:Subject:From:Subject:Reply-To; b=ESAyGgolxpwI2BSDIQkel2yZngq5zCRBlji2eZ1wGmI0Fmv1+9KCq9YuP/Y7XvXZdzNUaS53t+cr9JhS/R9O5kegepUy50vSsax5F/ZKDLMiU40Xc0LL+DBxQdP7cAA3TLfdDxqq8oQJUVF3ebK7WLKmkEozBe3WcQ3JQu2FpAhueuzLAovGusvclkg3ZlqgY6RzPY486NyHIN/VfuGVXvBh0FnIahMy74mBPBEM4rErXWSLjfRnHAW6toNqHj4+kJmsWtjpkMnwb3UcgieL8MhIbD7RCTNF7mwgvK8PnChsVhtl/lfYbzgpc/ALaXJ5V6BYw+xxalZ4AvAFu3OpFQ==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1619700029; bh=fmcWm+MaFHrLmewYxtOI/73scyJ4tn+wJQFzDAeX9bT=; h=X-Sonic-MF:Date:From:To:Subject:From:Subject; b=Qbe+CNkG6gryxG5wHLowPypD3IqYKDZCokoPc3bM1xnDa+jys+T8G7HI18TXlzlfM7AKt55eRI3SSBYqDrGHEGD/kpf2ihtJblWjYqaKw8I+1wMLdH4kdi6pGDP4tUqyJ9CxBUFkEjQfDmFxTiL3YPYfrN/WbjFuVwgl1r6RtHgudu7nX65Fe0+Dpf+0YRQLgVuCNh3Lnhjr8XUeGszhGbP9DPP47rqVZYuMex1ZIve+lBbzeKid60Q4jNyIPqS7AbizkyCTGY3/npWdFcTUGBrB6QnWURipwPX+kzAriqxZZo4ykcJeVgNSyXwP5CMmK8y3h5B7JlY8ZUdxOvmFtw==
X-YMail-OSG: HXiehmQVM1kHHUJR4efrIS2y8N0GpGOEF05ScP42ZFGwHFxNOpQzLYvV8WP6QOD
 AS19cuTIuuMM2gLZYQZIkS.cmrsJmMrruWkQXPXkYuRF7CBkymfnt72mIJynupD6yGe6ocalzs4W
 UmBFAUUIdH5cmywb5yZOIoeicbYXMkT.JpLbYFEJKHBKBwvCya7pBI8yat1dcm.BfacnPt91p2rd
 DbHlC.xvCfrWh.GHjRKaYr3NnVL1No4ufqKDhY9ZYepflUENNvfxzXaE3oGx4hK4U1dt.0zMgoA8
 6jBMuFNQEngEW9dWjjV4dbW3gPzBqFuvPkqqpuG40mAwrOIQ2Iu9qkDGZzllM52CbpXaJrbfkoON
 eRdbl7Ey90QW0vLTzhYlfdqvkWzworW_EwDHufdBkd814tBt4sj5uzp3ZgdCPT6MnyfWKZ0mYbgJ
 2lOLQKngC0c0o7nTpZUsYt8bq6Pdxo6vREaZgqb5UkBKOLYA6HJ3za9SDDS5k2ZeaY8sefnzzNFU
 Rvo_S5YwxmvMz0_Py0yJ8q63_tayY4RqTWbM1VCLMNkEqLAbeO3EJpnXhlzTRyvaImZ_imRVrrtM
 eRs4sM90Rec9wQvBszSwd3mASvr2zg3BD9SMCXlEkVEK5.UP0iD9XmlEjNbEZxnTsdtoRUqJmL8l
 UTD90Xe7QIBhcffoLA_CJt6VVQZNdHIP.hLD4XRXhM7uI.Qm.UTYDI9DsYoMN_gocdQwUTgRum06
 eTCd5cOAEXzK_i68TWJoE1NRJr_daXFGQaZcevpJtmrxIdUlH5_TOuedITH5L2PnlohTXFVsR.tw
 z_Wo1qxQ4pm3xJzRLjXbTW1H1uItw41sJQYxsFN0k0QQ9zOX9wEHqEE8wG9d7G8Ser5NMlmYSlLM
 ydIaLy81Qc7iKXslOowxSHOJbCgDtQ6F7ud92.i77KtKqCA_6pXzvTDt5sVDBFqBpUrYSFW2vxyY
 fNLWLDGJyGbg6yrOzIVq2WoGMiApdJqZNhBldrbX5rztACHjRScKopeLZsTcXCbkR58QuVm5u8Cz
 43Xw1VZysbfmht1oX_pTXuouDhic.Fqws52qyEUOokyBxZoIuWRKO1EQogrrYWCMbbTmXqLr1P7G
 bJi0hcMn3BeWWwHzWOjrG0t8aK3kXnEVJ4VNq_2i324epNEk05Infd7zpn2RR8L3DXtAG9_21cPb
 07c2m.33G4v_mcl4KTCSveJmAkyr1pWVc3Yd.S9SCJnOcv_WRrKfZc_aMwlHRnoxKMer6a1rtV1S
 WW08TBgzleBdu8n2fEqdm7eoAIA6pSVd9by2qcTSNuI9i3rjrnGX7EodmALhl3JH2bcl8cofc9rS
 Ho8RZ0tOCAzZUCRSoTY.V1wf9Skw_nrjh1J140HMwXFTZ6MM8UwPdN4d53rnxDC0ZrtBxTL1Tkzm
 ykJx._suSKPyoclqBc2oUauNylfFJNYrOQb6IvymI_GmKhc12meRc1usvMG834XsZijHTxnc2M9b
 aQqIAsS59pL.ngYABbbtV4MAvfnd3fj6earhYgoCLaJ2FUts3EwwdPYu536JeqF.Vy80Vyhq5NN6
 xavuizC9GFJ6NtWgo60NDvxIehX9g_WJhgJXL9PniCjXyz91.ys6dyonJvCWrQuwm4sD7OYXb5uY
 zdtF5OUj9_6hLnKyBUQQUWZzsNV4F0H_ODrzUz6zDZwwNsyQ5B7W_sLQUUwPAaTi4xiFoRWPJrSo
 ksqNIqQeuBwodZ7ZvXv8WnrTwD.K3Ax1QzUDakdalBnvOsSjXBvXnDvmou1bV5wHx7unVJ.L5Uow
 7dancJrlNQQcLOvdXHBWulVH3ksjQkhB7delfTHNXACtkpIHdi.m49EqsqE.elv68bKwJzASh3is
 YSM.eftry0.P2cGLQNxeOGp7mxfcl8fOoNZCFRQBdXQP2kWkjMDv4.nFRo146cW2yAkR0JFpKu3Z
 4yZ3CRrCYc4C7dvPfOu6s60EhwGhnK9Oz_eU6tHjX71pztzVTaPUyL3UAKUsvQCKiwsTNMTaguN.
 LDYU58cnKrX4tc8oZUdD_FCp24i8Cui0nXM2llTqcavf4ATts_.fA66o9t73mmGrVW643eqcpQaG
 V.pQC4PUgu_9S3o.2r.ykjMVX2p7HHTSFyQNiYfa9YOYiKOk7AuKnMV3oissBL8RRj2wIm1oLhcr
 AJRzbeQFVUqvdpCtBdKfbC7MUz9NGyfihUYUskvAidRBOYk2Tx1B.QXyth316aVghR2BWjM6AGCJ
 MznT.x7oPjhTuyh_O5OsAn.0gI8antXYMylplQtT04fRkYLP9Rxv7JladmPbGVHO8S1xwkQAxt4c
 gnwT2Nt.Izf906DEBP.M_CBH4_lGneUc4JZ7qU_FXAMsn1GERbm800xA0zkuoHSUPHem4o09rs8S
 I95PdblxK5UW_fqlsyXB8uSwUSESVnC7m8eInQb.wYEK.qw9XzvHcAed_6XlGdpV.n3RTUimqkPq
 aaLnC5WUW6RHHhqYjZT1SdEzobd8fh8VhfDcGtZw7_a07MpOinUP6OsAg8nKxCsEstB7EzLq3oVP
 p_QJCu75ftUYeDf7uYTWcjtTLARC3
X-Sonic-MF: <ttrask01@yahoo.com>
Received: from sonic.gate.mail.ne1.yahoo.com by sonic306.consmr.mail.bf2.yahoo.com with HTTP; Thu, 29 Apr 2021 12:40:29 +0000
Date: Thu, 29 Apr 2021 12:40:25 +0000 (UTC)
From: Ted Trask <ttrask01@yahoo.com>
To: 
	"~alpine/devel@lists.alpinelinux.org" <~alpine/devel@lists.alpinelinux.org>, 
	Nir Ben-Eliezer <nir.ben-eliezer@aquasec.com>
Message-ID: <1461898156.1109064.1619700025076@mail.yahoo.com>
In-Reply-To: <AM6PR03MB471108D90553846834729307B35F9@AM6PR03MB4711.eurprd03.prod.outlook.com>
References: <AM6PR03MB4711B475D15586303F7AD1B8B35F9@AM6PR03MB4711.eurprd03.prod.outlook.com> <755786165.1114022.1619696808923@mail.yahoo.com> <AM6PR03MB471108D90553846834729307B35F9@AM6PR03MB4711.eurprd03.prod.outlook.com>
Subject: Re: Security dispute over nodejs vulnerability in Alpine - Help!
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Mailer: WebService/1.1.18138 YMailNorrin Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36

> I=E2=80=99m asking ultimately, is this: If the node community indicated a=
 certain CVE is fixed in version X, why would Alpine indicate a different v=
ersion? Is it merely an issue of testing, and the fact that version X was n=
ot certified to be used with a certain branch of Alpine, or is there a diff=
erent reason?

Alpine Linux does not and will not support mixing repositories. You can do =
so, but you are on your own.

> / # apk add --repository http://dl-cdn.alpinelinux.org/alpine/v3.11/main =
--no-cache nodejs=3D12.22.1-r0
>=C2=A0fetch http://dl-cdn.alpinelinux.org/alpine/v3.11/main/x86_64/APKINDE=
X.tar.gz
>=C2=A0fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/main/x86_64/APKIND=
EX.tar.gz
>=C2=A0fetch=C2=A0https://dl-cdn.alpinelinux.org/alpine/v3.13/community/x86=
_64/APKINDEX.tar.gz

This. What you do here is the cause of the problem. We do not support mixin=
g 3.11 packages and 3.13 packages.

Ted Trask