[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: "Version less than 0.0" in OVAL definitions

Hello,
In theory, from version number numbering point of view only, yes less than 0.0 is valid. But in practice, as they are used in Debian OVAL definitions, I don't think they are. I think these state values might be incorrect, probably unintentionally. And there are many, thousands, of these less than 0.0 versions, I don't think they are actually intended to test for pre version 0 releases.
For example, who could be using a pre version 0 release of glibc?

<dpkginfo_test check="all" check_existence="at_least_one_exists" comment="glibc is earlier than 0" id="oval:org.debian.oval:tst:22102" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
<object object_ref="oval:org.debian.oval:obj:3"/>
<state state_ref="oval:org.debian.oval:ste:14418"/>
</dpkginfo_test>
...
<dpkginfo_test check="all" check_existence="at_least_one_exists" comment="golang-1.11 is earlier than 0" id="oval:org.debian.oval:tst:22067" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
<object object_ref="oval:org.debian.oval:obj:2202"/>
<state state_ref="oval:org.debian.oval:ste:14410"/>
</dpkginfo_test>
...
<dpkginfo_test check="all" check_existence="at_least_one_exists" comment="rustc is earlier than 0" id="oval:org.debian.oval:tst:22068" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
<object object_ref="oval:org.debian.oval:obj:1670"/>
<state state_ref="oval:org.debian.oval:ste:14410"/>
</dpkginfo_test>
...
<dpkginfo_test check="all" check_existence="at_least_one_exists" comment="sqlcipher is earlier than 0" id="oval:org.debian.oval:tst:22069" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
<object object_ref="oval:org.debian.oval:obj:2614"/>
<state state_ref="oval:org.debian.oval:ste:14410"/>
</dpkginfo_test>

On Mon, 17 May 2021 at 09:40, Holger Levsen <holger@layer-acht.org> wrote:
On Sun, May 16, 2021 at 05:21:50PM +0300, Serkan Özkan wrote:
> We are using Debian OVAL definitions but there are many tests, and states,
> that test for dpkg versions being less than 0.0 which is impossible in
> practice (right?).

no, it's possible:

0~1 is a valid version. It's smaller than zero, yet it's not a negative
number.

It's usually used for versions like 1.0~0alpha1-1 to allow the next
version to be 1.0-1... but 0~1 is a legal and valid version too.


--
cheers,
        Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

I'm looking forward to Corona being a beer again and Donald a duck.
Reply to: