Received: from mx.nixnet.email (unknown [IPv6:2a01:4ff:f0:2247::1])
	by gbr-app-1.alpinelinux.org (Postfix) with ESMTPS id B429C225D9E
	for <~alpine/users@lists.alpinelinux.org>; Mon,  7 Oct 2024 14:05:21 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
	by mx.nixnet.email (Postfix) with ESMTPSA id E37B07D3A8;
	Mon,  7 Oct 2024 16:05:18 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pwned.life; s=202002021149;
	t=1728309919;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=Wj8Cnlaguo/VHC9xIV1njsvhGjsnogBjWp4oq/MD4LA=;
	b=eUrR/ABkZnkRGfLz0vT4V0b87ZNqnNuqYA7QDPJJ0kC4ABvitlBhZgLnMRv1ONBJDeNMEu
	Ix2AWh5mScCt5+88DivNIu2Gwr6iOxAlqcU4McAGcf9AjMU1LQPmL2gfAoFY68vS/00NeH
	WDQO9++3544Yo9TKjIguReRigOp+MF8=
Mime-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset=UTF-8
Date: Mon, 07 Oct 2024 16:05:17 +0200
Message-Id: <D4PMQF0VJJ9N.2PNQCQTERT41F@pwned.life>
Subject: Re: Alpine Main Packages Lists
From: "fossdd" <fossdd@pwned.life>
To: "Nigel Hopper" <nigel_hopper@uk.ibm.com>,
 "~alpine/users@lists.alpinelinux.org" <~alpine/users@lists.alpinelinux.org>
X-Greeting: Hi mom! Look, I'm in somebodys mail client!
X-Mailer: aerc 0.18.2-0-ge037c095a049
References: <DS0PR15MB569879367894D7C1DF19FD54C57D2@DS0PR15MB5698.namprd15.prod.outlook.com>
In-Reply-To: <
 <DS0PR15MB569879367894D7C1DF19FD54C57D2@DS0PR15MB5698.namprd15.prod.outlook.com>

On Mon Oct 7, 2024 at 3:40 PM CEST, Nigel Hopper wrote:
> Hi
>
> I?m part of a team that audit software and one of the things that we have=
 to do is differentiate operating system packages from when they are part o=
f the core operating system and when they are added as part of the build fr=
om something else.
>
> We refer to these as Main OS (part of the core OS) and Non-main (added on=
 top of the core OS).
>
> Alpine has been a bit of a challenge, but would like to know I we could u=
se either of the following links to give us an accurate list of the Alpine =
Main OS packages. These would be for 3.20
>
> https://alpine.pkgs.org/3.20/alpine-main-x86_64/
> https://pkgs.alpinelinux.org/packages?name=3D&branch=3Dv3.20&repo=3Dmain&=
arch=3Dx86_64&origin=3D&maintainer=3D&flagged=3D

If you want reliable information, it's best not to parse a website but
use the APKINDEX from Alpine mirrors (e.g.
https://dl-cdn.alpinelinux.org/alpine/v3.20/main/x86_64/APKINDEX.tar.gz).

It's what pkgs.alpinelinux.org uses to generate data and also what apk
itself uses to update package lists.

>
> Technically the ?same site? but there are differences between these even =
though they are the same release.
>
> gcompat
> java-cacerts
>
> According to these lists, the first package above is on the list, but the=
 second is not. Based on this, we would likely make gcompat as a Main OS pa=
ckage and java-cacerts is a Non-main operating system package.
>
> Are either of these lists an accurate representation of the Main OSs for =
Alpine 3.20.
>
> Many thanks.
>
>
> Nigel Hopper
> Security Consultant: Cybersecurity Assessment & Response Services
> Open Source Software Auditor
> Advisory Software Engineer
> QSE Development Top Gun
>
> Unless otherwise stated above:
>
> IBM United Kingdom Limited
> Registered in England and Wales with number 741598
> Registered office: Building C, IBM Hursley Office, Hursley Park Road, Win=
chester, Hampshire SO21 2JN