2025-07-15 18:34:58 <Ariadne> ikke: it would be good to garbage collect the edge-main/edge-community packages on security.a.o
2025-07-15 18:59:11 <ikke> Ariadne: Yeah, I have been thinking about that, but nothing built-in right?
2025-07-15 18:59:52 <Ariadne> no automation, sadly
2025-07-15 18:59:58 <Ariadne> maybe i write it this weekend
2025-07-15 19:00:42 <ikke> I planned to spend some time in August to look at the secfixes tracker
2025-07-15 19:02:51 <ikke> I think it's a bit too stateful atm, which means lots of edge cases where things are not tracked properly
2025-07-15 19:03:54 <Ariadne> i agree
2025-07-15 19:04:34 <Ariadne> it might also be interesting to add a feature to check what e.g. grype is saying about packages
2025-07-15 19:04:54 <Ariadne> since grype can scan for vendored components for example
2025-07-15 19:05:58 <ikke> Yeah, having a framework where we can add various sources would be heplful
2025-07-16 12:27:50 <ncopa> I would also appreciate if the test suite got extended
2025-07-18 01:55:41 <jahway603[m]> As the Alpine package maintainer of the Matrix Synapse package, I want to share this pre-disclosure from their devs which has CVE impact. I plan to update and create a MR for synapse on July 22nd, as per their pre-disclosure. I wanted to let others in here know about this.
2025-07-18 01:55:41 <jahway603[m]> https://matrix.org/blog/2025/07/security-predisclosure/
2025-07-18 07:25:24 <achill> jahway603[m] <https://matrix.to/#/%40oftc_jahway603%5Bm%5D%3Apostmarketos.org>: i should be available at that time, just ping me in case i forgot and should merge
2025-07-18 07:27:46 <ncopa> thanks for the heads up!
2025-07-19 12:06:36 <bananicorn> Just to add to that, the date has been shifted back to Monday Aug 11th 2025 at 17:00 UTC to give client/server developers more time
2025-07-19 12:07:03 <bananicorn> Updated notes have been added to the announcement
2025-07-22 20:03:33 <jahway603[m]> Thanks for the update bananicorn. Updated my calendar to that new date.
2025-07-23 22:30:39 <cistit1324> hi
2025-07-23 22:30:46 <hackeris> hi
2025-07-28 14:22:51 <Serubin> Hi Alpine security. I have a quick question about alpine security advisories: I'm trying to decipher what "possibly vulnerable" means in the context of the "Vulnerable and fixed packages" table. On a row that says "possibly vulnerable" next to a version, does that indicate that the version is still vulnerable? Is the only definitively fixed version going to be denoted by a "fixed" status? Asking 
2025-07-28 14:22:57 <Serubin> because I've noticed that many major security scanners seem to indicate that versions with a status of "possibly vulnerable" are fixed, but I'm not sure that's really the case. Thanks!
2025-07-28 14:34:54 <ikke> Serubin: all it means at some point, we've seen a CVE that matched that package and version 
2025-07-28 14:48:09 <Serubin> ikke: and it's likely still vulnerable. Yes?
2025-07-28 14:50:03 <ikke> At least we have not explicitly indicated that it has
2025-07-28 14:51:03 <ikke> That it has been fixed*
2025-07-28 14:51:40 <ikke> But it may also be a wrong match
2025-07-28 14:52:02 <Serubin> Understood, thank you!
2025-07-28 14:52:25 <Serubin> My guess is that some of the security scanners we're using, see the version listed, but ignore the vulnerable status and mark it as fixed.
2025-07-28 14:52:28 <Serubin> Really appreciate the response
2025-07-28 14:59:36 <ikke> Do you have an example?
2025-07-30 18:22:55 <Ariadne> security scanners should not mark anything as fixed unless it is in secdb...
2025-07-30 18:23:07 <Ariadne> definitely a bug in those scanners :p