Forum: >>> Magnum BBS <<<

"Version less than 0.0" in OVAL definitions

From =?UTF-8?Q?Serkan_=C3=96zkan?=@21:1/5 to All on Sun May 16 16:40:01 2021

Hello,
We are using Debian OVAL definitions but there are many tests, and states,
that test for dpkg versions being less than 0.0 which is impossible in
practice (right?).
How should we handle these tests/definitions? Should we ignore them or does
0.0 have a special meaning in this case?

<dpkginfo_test check="all" check_existence="at_least_one_exists" comment="linux is earlier than 0" id="oval:org.debian.oval:tst:22144" version="1" xmlns=" http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
<object object_ref="oval:org.debian.oval:obj:195"/>
<state state_ref="oval:org.debian.oval:ste:14430"/>
</dpkginfo_test>
<dpkginfo_test check="all" check_existence="at_least_one_exists" comment="jhead is earlier than 0" id="oval:org.debian.oval:tst:22145" version="1" xmlns=" http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
<object object_ref="oval:org.debian.oval:obj:740"/>
<state state_ref="oval:org.debian.oval:ste:14430"/>
</dpkginfo_test>
...
<dpkginfo_state id="oval:org.debian.oval:ste:14430" version="1" xmlns=" http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
<evr datatype="debian_evr_string" operation="less than">0:0</evr> </dpkginfo_state>
<dpkginfo_state id="oval:org.debian.oval:ste:14431" version="1" xmlns=" http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
<evr datatype="debian_evr_string" operation="less than">0:1.14.4-1+deb10u1 </evr>
</dpkginfo_state>
<dpkginfo_state id="oval:org.debian.oval:ste:14432" version="1" xmlns=" http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
<evr datatype="debian_evr_string" operation="less than">0:0</evr> </dpkginfo_state>

Thanks in advance,
Serkan Özkan

<div dir="ltr"><div style="line-height:18px">Hello,<br>We are using Debian OVAL definitions but there are many tests, and states, that test for dpkg versions being less than 0.0 which is impossible in practice (right?). </div><div style="line-height:
18px">How should we handle these tests/definitions? Should we ignore them or does 0.0 have a special meaning in this case?</div><div style="line-height:18px"><div style="color:rgb(0,0,0);font-family:Menlo,Monaco,"Courier New",monospace;font-
size:12px;white-space:pre"><br></div><div style="color:rgb(0,0,0);font-family:Menlo,Monaco,"Courier New",monospace;font-size:12px;white-space:pre"><div style="line-height:18px"><div> <span style="color:rgb(128,0,0)"><dpkginfo_test</span> <
span style="color:rgb(255,0,0)">check</span>=<span style="color:rgb(0,0,255)">"all"</span> <span style="color:rgb(255,0,0)">check_existence</span>=<span style="color:rgb(0,0,255)">"at_least_one_exists"</span> <span style="color:rgb(
255,0,0)">comment</span>=<span style="color:rgb(0,0,255)">"linux is earlier than 0"</span> <span style="color:rgb(255,0,0)">id</span>=<span style="color:rgb(0,0,255)">"oval:org.debian.oval:tst:22144"</span> <span style="color:rgb(255,
0,0)">version</span>=<span style="color:rgb(0,0,255)">"1"</span> <span style="color:rgb(255,0,0)">xmlns</span>=<span style="color:rgb(0,0,255)">"<a href="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">http://oval.mitre.org/
XMLSchema/oval-definitions-5#linux</a>"</span><span style="color:rgb(128,0,0)">></span></div><div> <span style="color:rgb(128,0,0)"><object</span> <span style="color:rgb(255,0,0)">object_ref</span>=<span style="color:rgb(0,0,255)">"
oval:org.debian.oval:obj:195"</span><span style="color:rgb(128,0,0)">/></span></div><div> <span style="color:rgb(128,0,0)"><state</span> <span style="color:rgb(255,0,0)">state_ref</span>=<span style="color:rgb(0,0,255)"><span style="
background-color:rgb(0,255,255)">"oval:org.debian.oval:ste:14430</span>"</span><span style="color:rgb(128,0,0)">/></span></div><div> <span style="color:rgb(128,0,0)"></dpkginfo_test></span></div><div> <span style="color:rgb(128,0,
0)"><dpkginfo_test</span> <span style="color:rgb(255,0,0)">check</span>=<span style="color:rgb(0,0,255)">"all"</span> <span style="color:rgb(255,0,0)">check_existence</span>=<span style="color:rgb(0,0,255)">"at_least_one_exists"</
span> <span style="color:rgb(255,0,0)">comment</span>=<span style="color:rgb(0,0,255)">"jhead is earlier than 0"</span> <span style="color:rgb(255,0,0)">id</span>=<span style="color:rgb(0,0,255)">"oval:org.debian.oval:tst:22145"</span>
<span style="color:rgb(255,0,0)">version</span>=<span style="color:rgb(0,0,255)">"1"</span> <span style="color:rgb(255,0,0)">xmlns</span>=<span style="color:rgb(0,0,255)">"<a href="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
http://oval.mitre.org/XMLSchema/oval-definitions-5#linux</a>"</span><span style="color:rgb(128,0,0)">></span></div><div> <span style="color:rgb(128,0,0)"><object</span> <span style="color:rgb(255,0,0)">object_ref</span>=<span style="color:
rgb(0,0,255)">"oval:org.debian.oval:obj:740"</span><span style="color:rgb(128,0,0)">/></span></div><div> <span style="color:rgb(128,0,0)"><state</span> <span style="color:rgb(255,0,0)">state_ref</span>=<span style="color:rgb(0,0,255)"

"oval:org.debian.oval:ste:14430"</span><span style="color:rgb(128,0,0)">/></span></div><div> <span style="color:rgb(128,0,0)"></dpkginfo_test></span></div><div></div></div></div><div style="color:rgb(0,0,0);font-family:Menlo,Monaco,

"Courier New",monospace;font-size:12px;white-space:pre">...</div><div style="color:rgb(0,0,0);font-family:Menlo,Monaco,"Courier New",monospace;font-size:12px;white-space:pre"> <span style="color:rgb(128,0,0)"><dpkginfo_state</
span> <span style="color:rgb(255,0,0)">id</span>=<span style="color:rgb(0,0,255)">"<span style="background-color:rgb(0,255,255)">oval:org.debian.oval:ste:14430</span>"</span> <span style="color:rgb(255,0,0)">version</span>=<span style="color:
rgb(0,0,255)">"1"</span> <span style="color:rgb(255,0,0)">xmlns</span>=<span style="color:rgb(0,0,255)">"<a href="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">http://oval.mitre.org/XMLSchema/oval-definitions-5#linux</a>"</
span><span style="color:rgb(128,0,0)">></span></div><div style="color:rgb(0,0,0);font-family:Menlo,Monaco,"Courier New",monospace;font-size:12px;white-space:pre"> <span style="color:rgb(128,0,0)"><evr</span> <span style="color:rgb(
255,0,0)">datatype</span>=<span style="color:rgb(0,0,255)">"debian_evr_string"</span> <span style="color:rgb(255,0,0)">operation</span>=<span style="color:rgb(0,0,255)">"less than"</span><span style="color:rgb(128,0,0)">></span><
span style="background-color:rgb(255,255,0)">0:0</span><span style="color:rgb(128,0,0)"></evr></span></div><div style="color:rgb(0,0,0);font-family:Menlo,Monaco,"Courier New",monospace;font-size:12px;white-space:pre"> <span style="
color:rgb(128,0,0)"></dpkginfo_state></span></div><div style="color:rgb(0,0,0);font-family:Menlo,Monaco,"Courier New",monospace;font-size:12px;white-space:pre"> <span style="color:rgb(128,0,0)"><dpkginfo_state</span> <span style="
color:rgb(255,0,0)">id</span>=<span style="color:rgb(0,0,255)">"oval:org.debian.oval:ste:14431"</span> <span style="color:rgb(255,0,0)">version</span>=<span style="color:rgb(0,0,255)">"1"</span> <span style="color:rgb(255,0,0)">xmlns</
span>=<span style="color:rgb(0,0,255)">"<a href="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">http://oval.mitre.org/XMLSchema/oval-definitions-5#linux</a>"</span><span style="color:rgb(128,0,0)">></span></div><div style="color:
rgb(0,0,0);font-family:Menlo,Monaco,"Courier New",monospace;font-size:12px;white-space:pre"> <span style="color:rgb(128,0,0)"><evr</span> <span style="color:rgb(255,0,0)">datatype</span>=<span style="color:rgb(0,0,255)">"debian_evr_
string"</span> <span style="color:rgb(255,0,0)">operation</span>=<span style="color:rgb(0,0,255)">"less than"</span><span style="color:rgb(128,0,0)">></span>0:1.14.4-1+deb10u1<span style="color:rgb(128,0,0)"></evr></span></div><
div style="color:rgb(0,0,0);font-family:Menlo,Monaco,"Courier New",monospace;font-size:12px;white-space:pre"> <span style="color:rgb(128,0,0)"></dpkginfo_state></span></div><div style="color:rgb(0,0,0);font-family:Menlo,Monaco,"
Courier New",monospace;font-size:12px;white-space:pre"> <span style="color:rgb(128,0,0)"><dpkginfo_state</span> <span style="color:rgb(255,0,0)">id</span>=<span style="color:rgb(0,0,255)">"oval:org.debian.oval:ste:14432"</span> <span
style="color:rgb(255,0,0)">version</span>=<span style="color:rgb(0,0,255)">"1"</span> <span style="color:rgb(255,0,0)">xmlns</span>=<span style="color:rgb(0,0,255)">"<a href="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">http://
oval.mitre.org/XMLSchema/oval-definitions-5#linux</a>"</span><span style="color:rgb(128,0,0)">></span></div><div style="color:rgb(0,0,0);font-family:Menlo,Monaco,"Courier New",monospace;font-size:12px;white-space:pre"> <span style="
color:rgb(128,0,0)"><evr</span> <span style="color:rgb(255,0,0)">datatype</span>=<span style="color:rgb(0,0,255)">"debian_evr_string"</span> <span style="color:rgb(255,0,0)">operation</span>=<span style="color:rgb(0,0,255)">"less than&
quot;</span><span style="color:rgb(128,0,0)">></span><span style="background-color:rgb(255,255,0)">0:0</span><span style="color:rgb(128,0,0)"></evr></span></div><div style="color:rgb(0,0,0);font-family:Menlo,Monaco,"Courier New",
monospace;font-size:12px;white-space:pre"> <span style="color:rgb(128,0,0)"></dpkginfo_state></span></div><div style="color:rgb(0,0,0);font-family:Menlo,Monaco,"Courier New",monospace;font-size:12px;white-space:pre"><br></div><br>
Thanks in advance,<br>Serkan Özkan</div></div>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Holger Levsen@21:1/5 to All on Mon May 17 08:50:01 2021

On Sun, May 16, 2021 at 05:21:50PM +0300, Serkan Özkan wrote:

We are using Debian OVAL definitions but there are many tests, and states, that test for dpkg versions being less than 0.0 which is impossible in practice (right?).

no, it's possible:

0~1 is a valid version. It's smaller than zero, yet it's not a negative
number.

It's usually used for versions like 1.0~0alpha1-1 to allow the next
version to be 1.0-1... but 0~1 is a legal and valid version too.

--
cheers,
Holger

⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org
⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
⠈⠳⣄

I'm looking forward to Corona being a beer again and Donald a duck.

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEuL9UE3sJ01zwJv6dCRq4VgaaqhwFAmCiD/EACgkQCRq4Vgaa qhxCZA/+P4aWKvBn7qv37qEKadhS0xJ35dwAXytihxP0t7I82Jc0nqm8mwdh+7pf hnZasVQEq6O1wDyhMsLqtLolCeZMS3pMwk7AbdlNFSJT3LoxQhDMz+etBPQU1rhw GXX0MqLToPeNOYURpzmxqsx0wAIylsowcmJb/Sy3ZcgyLuy0sqJISkO456yzV1tb c+LBjwa8LNGtzHEiBkTaD97IUeaMLUenduFAhXjknK/mIxXdRSh10WwzkyWDIbvB hBp8kQQGgkWy6M1r30SZNdLP18X8Rd7qH8QKU/Cdik3BmyizOocNiIHbbOu0S6lR lZGCbfZ8ajUkDR7c8+mh/AiJOLrrYWlQFq+X0trHRDr6SpNwpxkJwef2eW08pb04 U0BBTzxeU6QYedrrga5QKj0IOZojz8exEYY4e6PON7s3L/BqK5yp+WXci1MgzLQZ bc3uk2ja73AOnntTG2NF8Z2Kr2RCz8MWhKJoKFaNh+j2Xro/C117J0jQIscLBLvg sMXj3eWV2Thi6nk3HR++a9gI+JPgsmyv9JlMAyK7/GKuJX+8vTPA+9lmT4vuZDpR 6zfwCcXI6uOId9q9d4tIB3jUCAEZTc9Qf8vitm7jztMUH

From =?UTF-8?Q?Serkan_=C3=96zkan?=@21:1/5 to Holger Levsen on Mon May 17 10:00:01 2021

Hello,
In theory, from version number numbering point of view only, yes less than
0.0 is valid. But in practice, as they are used in Debian OVAL definitions,
I don't think they are. I think these state values might be incorrect,
probably unintentionally. And there are many, thousands, of these less than
0.0 versions, I don't think they are actually intended to test for pre
version 0 releases.
For example, who could be using a pre version 0 release of glibc?

<dpkginfo_test check="all" check_existence="at_least_one_exists" comment="glibc is earlier than 0" id="oval:org.debian.oval:tst:22102" version="1" xmlns=" http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
<object object_ref="oval:org.debian.oval:obj:3"/>
<state state_ref="oval:org.debian.oval:ste:14418"/>
</dpkginfo_test>
...
<dpkginfo_test check="all" check_existence="at_least_one_exists" comment="golang-1.11
is earlier than 0" id="oval:org.debian.oval:tst:22067" version="1" xmlns=" http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
<object object_ref="oval:org.debian.oval:obj:2202"/>
<state state_ref="oval:org.debian.oval:ste:14410"/>
</dpkginfo_test>
...
<dpkginfo_test check="all" check_existence="at_least_one_exists" comment="rustc is earlier than 0" id="oval:org.debian.oval:tst:22068" version="1" xmlns=" http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
<object object_ref="oval:org.debian.oval:obj:1670"/>
<state state_ref="oval:org.debian.oval:ste:14410"/>
</dpkginfo_test>
...
<dpkginfo_test check="all" check_existence="at_least_one_exists" comment="sqlcipher
is earlier than 0" id="oval:org.debian.oval:tst:22069" version="1" xmlns=" http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
<object object_ref="oval:org.debian.oval:obj:2614"/>
<state state_ref="oval:org.debian.oval:ste:14410"/>
</dpkginfo_test>

On Mon, 17 May 2021 at 09:40, Holger Levsen <holger@layer-acht.org> wrote:

On Sun, May 16, 2021 at 05:21:50PM +0300, Serkan Özkan wrote:

We are using Debian OVAL definitions but there are many tests, and

states,

that test for dpkg versions being less than 0.0 which is impossible in practice (right?).

no, it's possible:

0~1 is a valid version. It's smaller than zero, yet it's not a negative number.

It's usually used for versions like 1.0~0alpha1-1 to allow the next
version to be 1.0-1... but 0~1 is a legal and valid version too.

--
cheers,
Holger

⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org
⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
⠈⠳⣄

I'm looking forward to Corona being a beer again and Donald a duck.

<div dir="ltr">Hello,<div>In theory, from version number numbering point of view only, yes less than 0.0 is valid. But in practice, as they are used in Debian OVAL definitions, I don't think they are. I think these state values might be incorrect,
probably unintentionally. And there are many, thousands, of these less than 0.0 versions, I don't think they are actually intended to test for pre version 0 releases.</div><div>For example, who could be using a pre version 0 release of glibc?</div><

<br></div><div><div style="color:rgb(0,0,0);font-family:Menlo,Monaco,"Courier New",monospace;font-size:12px;line-height:18px;white-space:pre"><div style="line-height:18px"><div> <span style="color:rgb(128,0,0)"><dpkginfo_test</span> <

span style="color:rgb(255,0,0)">check</span>=<span style="color:rgb(0,0,255)">"all"</span> <span style="color:rgb(255,0,0)">check_existence</span>=<span style="color:rgb(0,0,255)">"at_least_one_exists"</span> <span style="color:rgb(
255,0,0)">comment</span>=<span style="color:rgb(0,0,255)">"<span style="background-color:rgb(255,255,0)">glibc is earlier than 0</span>"</span> <span style="color:rgb(255,0,0)">id</span>=<span style="color:rgb(0,0,255)">"oval:org.debian.
oval:tst:22102"</span> <span style="color:rgb(255,0,0)">version</span>=<span style="color:rgb(0,0,255)">"1"</span> <span style="color:rgb(255,0,0)">xmlns</span>=<span style="color:rgb(0,0,255)">"<a href="http://oval.mitre.org/
XMLSchema/oval-definitions-5#linux">http://oval.mitre.org/XMLSchema/oval-definitions-5#linux</a>"</span><span style="color:rgb(128,0,0)">></span></div><div> <span style="color:rgb(128,0,0)"><object</span> <span style="color:rgb(255,0,0)">
object_ref</span>=<span style="color:rgb(0,0,255)">"oval:org.debian.oval:obj:3"</span><span style="color:rgb(128,0,0)">/></span></div><div> <span style="color:rgb(128,0,0)"><state</span> <span style="color:rgb(255,0,0)">state_ref</
span>=<span style="color:rgb(0,0,255)">"oval:org.debian.oval:ste:14418"</span><span style="color:rgb(128,0,0)">/></span></div><div> <span style="color:rgb(128,0,0)"></dpkginfo_test></span></div><div><span style="color:rgb(128,0,0)">.
..</span></div><div></div></div><div> <span style="color:rgb(128,0,0)"><dpkginfo_test</span> <span style="color:rgb(255,0,0)">check</span>=<span style="color:rgb(0,0,255)">"all"</span> <span style="color:rgb(255,0,0)">check_existence</
span>=<span style="color:rgb(0,0,255)">"at_least_one_exists"</span> <span style="color:rgb(255,0,0)">comment</span>=<span style="color:rgb(0,0,255)">"<span style="background-color:rgb(255,255,0)">golang-1.11 is earlier than 0</span>"</
span> <span style="color:rgb(255,0,0)">id</span>=<span style="color:rgb(0,0,255)">"oval:org.debian.oval:tst:22067"</span> <span style="color:rgb(255,0,0)">version</span>=<span style="color:rgb(0,0,255)">"1"</span> <span style="color:
rgb(255,0,0)">xmlns</span>=<span style="color:rgb(0,0,255)">"<a href="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">http://oval.mitre.org/XMLSchema/oval-definitions-5#linux</a>"</span><span style="color:rgb(128,0,0)">></span><br><
/div><div> <span style="color:rgb(128,0,0)"><object</span> <span style="color:rgb(255,0,0)">object_ref</span>=<span style="color:rgb(0,0,255)">"oval:org.debian.oval:obj:2202"</span><span style="color:rgb(128,0,0)">/></span></div><div>
<span style="color:rgb(128,0,0)"><state</span> <span style="color:rgb(255,0,0)">state_ref</span>=<span style="color:rgb(0,0,255)">"oval:org.debian.oval:ste:14410"</span><span style="color:rgb(128,0,0)">/></span></div><div> <span
style="color:rgb(128,0,0)"></dpkginfo_test></span></div><div><span style="color:rgb(128,0,0)">...</span></div><div> <span style="color:rgb(128,0,0)"><dpkginfo_test</span> <span style="color:rgb(255,0,0)">check</span>=<span style="color:rgb(0,
0,255)">"all"</span> <span style="color:rgb(255,0,0)">check_existence</span>=<span style="color:rgb(0,0,255)">"at_least_one_exists"</span> <span style="color:rgb(255,0,0)">comment</span>=<span style="color:rgb(0,0,255)">"<span
style="background-color:rgb(255,255,0)">rustc is earlier than 0</span>"</span> <span style="color:rgb(255,0,0)">id</span>=<span style="color:rgb(0,0,255)">"oval:org.debian.oval:tst:22068"</span> <span style="color:rgb(255,0,0)">version</
span>=<span style="color:rgb(0,0,255)">"1"</span> <span style="color:rgb(255,0,0)">xmlns</span>=<span style="color:rgb(0,0,255)">"<a href="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">http://oval.mitre.org/XMLSchema/oval-
definitions-5#linux</a>"</span><span style="color:rgb(128,0,0)">></span></div><div> <span style="color:rgb(128,0,0)"><object</span> <span style="color:rgb(255,0,0)">object_ref</span>=<span style="color:rgb(0,0,255)">"oval:org.debian.
oval:obj:1670"</span><span style="color:rgb(128,0,0)">/></span></div><div> <span style="color:rgb(128,0,0)"><state</span> <span style="color:rgb(255,0,0)">state_ref</span>=<span style="color:rgb(0,0,255)">"oval:org.debian.oval:ste:
14410"</span><span style="color:rgb(128,0,0)">/></span></div><div> <span style="color:rgb(128,0,0)"></dpkginfo_test></span></div><div><span style="color:rgb(128,0,0)">...</span></div><div> <span style="color:rgb(128,0,0)"><dpkginfo_
test</span> <span style="color:rgb(255,0,0)">check</span>=<span style="color:rgb(0,0,255)">"all"</span> <span style="color:rgb(255,0,0)">check_existence</span>=<span style="color:rgb(0,0,255)">"at_least_one_exists"</span> <span style="
color:rgb(255,0,0)">comment</span>=<span style="color:rgb(0,0,255)">"<span style="background-color:rgb(255,255,0)">sqlcipher is earlier than 0</span>"</span> <span style="color:rgb(255,0,0)">id</span>=<span style="color:rgb(0,0,255)">"oval:
org.debian.oval:tst:22069"</span> <span style="color:rgb(255,0,0)">version</span>=<span style="color:rgb(0,0,255)">"1"</span> <span style="color:rgb(255,0,0)">xmlns</span>=<span style="color:rgb(0,0,255)">"<a href="http://oval.mitre.
org/XMLSchema/oval-definitions-5#linux">http://oval.mitre.org/XMLSchema/oval-definitions-5#linux</a>"</span><span style="color:rgb(128,0,0)">></span></div><div> <span style="color:rgb(128,0,0)"><object</span> <span style="color:rgb(255,0,
0)">object_ref</span>=<span style="color:rgb(0,0,255)">"oval:org.debian.oval:obj:2614"</span><span style="color:rgb(128,0,0)">/></span></div><div> <span style="color:rgb(128,0,0)"><state</span> <span style="color:rgb(255,0,0)">state_
ref</span>=<span style="color:rgb(0,0,255)">"oval:org.debian.oval:ste:14410"</span><span style="color:rgb(128,0,0)">/></span></div><div> <span style="color:rgb(128,0,0)"></dpkginfo_test></span></div><div></div></div></div></div><br><
div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, 17 May 2021 at 09:40, Holger Levsen <<a href="mailto:holger@layer-acht.org">holger@layer-acht.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;
border-left:1px solid rgb(204,204,204);padding-left:1ex">On Sun, May 16, 2021 at 05:21:50PM +0300, Serkan Özkan wrote:<br>
> We are using Debian OVAL definitions but there are many tests, and states,<br>
> that test for dpkg versions being less than 0.0 which is impossible in<br> > practice (right?).<br>

no, it's possible:<br>

0~1 is a valid version. It's smaller than zero, yet it's not a negative<br>
number.<br>

It's usually used for versions like 1.0~0alpha1-1 to allow the next<br> version to be 1.0-1... but 0~1 is a legal and valid version too.<br>

-- <br>
cheers,<br>
Holger<br>

⢀⣴⠾⠻⢶⣦⠀<br>
⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org<br>
⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C<br>
⠈⠳⣄<br>

I'm looking forward to Corona being a beer again and Donald a duck.<br> </blockquote></div>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Javier Fernandez-Sanguino@21:1/5 to serkan@vulniq.com on Mon May 17 11:20:01 2021

On Mon, 17 May 2021 at 09:58, Serkan Özkan <serkan@vulniq.com> wrote:

Hello,
In theory, from version number numbering point of view only, yes less than 0.0 is valid. But in practice, as they are used in Debian OVAL definitions,
I don't think they are. I think these state values might be incorrect, probably unintentionally. And there are many, thousands, of these less than 0.0 versions, I don't think they are actually intended to test for pre version 0 releases.

Dear Serkan,

There is a problem with the OVAL definitions published in the website. The definitions are generated from the information available (in webwml files)
in the source code of the website but this is missing version information
in a way that can be properly interpreted by the scripts.

As a consequence, the output (the definitions) does not include an accurate value for the version. To implement this properly we would need to
re-engineer the script that was created in 2010. Help here would be appreciated, I can point you to the script + setup if you could help.

Hope above clarifies. Best regards,

Javier

<div dir="ltr"><div dir="ltr"><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><br></div></div></div></div><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, 17 May 2021 at 09:58, Serkan Özkan &
lt;<a href="mailto:serkan@vulniq.com">serkan@vulniq.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hello,<div>In theory, from version
number numbering point of view only, yes less than 0.0 is valid. But in practice, as they are used in Debian OVAL definitions, I don't think they are. I think these state values might be incorrect, probably unintentionally. And there are many,
thousands, of these less than 0.0 versions, I don't think they are actually intended to test for pre version 0 releases.</div></div></blockquote><div><br></div><div>Dear Serkan,</div><div><br></div><div>There is a problem with the OVAL definitions
published in the website. The definitions are generated from the information available (in webwml files) in the source code of the website but this is missing version information in a way that can be properly interpreted by the scripts.</div><div><br></

<div>As a consequence, the output (the definitions) does not include an accurate value for the version. To implement this properly we would need to re-engineer the script that was created in 2010. Help here would be appreciated, I can point you to

the script + setup if you could help.</div><div> </div><div>Hope above clarifies. Best regards,</div><div><br></div><div>Javier</div></div></div>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From =?utf-8?Q?S=C3=A9bastien_Delafond?=@21:1/5 to All on Mon May 17 13:00:01 2021

Hi,

the Debian Security team periodically gets requests and/or bug reports
about the OVAL exports, and our general stance is that although we can't provide support for them, I'll gladly review and accept PRs on the OVAL generation code if people are interested in fixing whatever issues they
find on their end.

Cheers,

--
Seb

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From =?UTF-8?Q?Serkan_=C3=96zkan?=@21:1/5 to serkan@vulniq.com on Mon May 17 20:20:01 2021

Hello Seb,
For some reason I didn't receive your email but saw it on the mailing list archive page.
OVAL definitions are important for us and we would like to fix them if possible. Can you please let me know where the code is?

Thank you,
Serkan

On Mon, 17 May 2021 at 12:22, Serkan Özkan <serkan@vulniq.com> wrote:

Hello,
Thanks for the information Javier. Not promising anything, but I can try
to fix the script if you can point me to the script + setup.

Thank you,
Serkan

On Mon, 17 May 2021 at 12:14, Javier Fernandez-Sanguino <jfs@debian.org> wrote:

On Mon, 17 May 2021 at 09:58, Serkan Özkan <serkan@vulniq.com> wrote:

Hello,
In theory, from version number numbering point of view only, yes less
than 0.0 is valid. But in practice, as they are used in Debian OVAL
definitions, I don't think they are. I think these state values might be >>> incorrect, probably unintentionally. And there are many, thousands, of
these less than 0.0 versions, I don't think they are actually intended to >>> test for pre version 0 releases.

Dear Serkan,

There is a problem with the OVAL definitions published in the website.
The definitions are generated from the information available (in webwml
files) in the source code of the website but this is missing version
information in a way that can be properly interpreted by the scripts.

As a consequence, the output (the definitions) does not include an
accurate value for the version. To implement this properly we would need to >> re-engineer the script that was created in 2010. Help here would be
appreciated, I can point you to the script + setup if you could help.

Hope above clarifies. Best regards,

Javier

<div dir="ltr">Hello Seb,<div>For some reason I didn't receive your email but saw it on the mailing list archive page.</div><div>OVAL definitions are important for us and we would like to fix them if possible. Can you please let me know where the
code is?</div><div><br></div><div>Thank you,</div><div>Serkan</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, 17 May 2021 at 12:22, Serkan Özkan <<a href="mailto:serkan@vulniq.com">serkan@vulniq.com</a>> wrote:<br>
</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hello,<div>Thanks for the information Javier. Not promising anything, but I can try to fix the script if you can
point me to the script + setup. </div><div><br></div><div>Thank you,</div><div>Serkan</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, 17 May 2021 at 12:14, Javier Fernandez-Sanguino <<a href="mailto:jfs@debian.org"
target="_blank">jfs@debian.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><br></div></

</div></div><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, 17 May 2021 at 09:58, Serkan Özkan <<a href="mailto:serkan@vulniq.com" target="_blank">serkan@vulniq.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="

margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hello,<div>In theory, from version number numbering point of view only, yes less than 0.0 is valid. But in practice, as they are used in Debian OVAL
definitions, I don't think they are. I think these state values might be incorrect, probably unintentionally. And there are many, thousands, of these less than 0.0 versions, I don't think they are actually intended to test for pre version 0
releases.</div></div></blockquote><div><br></div><div>Dear Serkan,</div><div><br></div><div>There is a problem with the OVAL definitions published in the website. The definitions are generated from the information available (in webwml files) in the
source code of the website but this is missing version information in a way that can be properly interpreted by the scripts.</div><div><br></div><div>As a consequence, the output (the definitions) does not include an accurate value for the version. To
implement this properly we would need to re-engineer the script that was created in 2010. Help here would be appreciated, I can point you to the script + setup if you could help.</div><div> </div><div>Hope above clarifies. Best regards,</div><div><br></

<div>Javier</div></div></div>

</blockquote></div>
</blockquote></div>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Javier Fernandez-Sanguino@21:1/5 to serkan@vulniq.com on Mon May 17 22:00:01 2021

On Mon, 17 May 2021 at 19:58, Serkan Özkan <serkan@vulniq.com> wrote:

Hello Seb,
For some reason I didn't receive your email but saw it on the mailing list archive page.
OVAL definitions are important for us and we would like to fix them if possible. Can you please let me know where the code is?

Hi Serkan,

I believe the latest version of the code for the OVAL definitions
generation is in the source code of the website, more specifically in this directory: https://salsa.debian.org/webmaster-team/webwml/-/blob/master/english/security/oval/generate.py.
An older version was the Perl script I developed (at https://salsa.debian.org/webmaster-team/webwml/-/blob/master/english/security/parse-wml-oval.pl)
which is not functional anymore.

To generate the definitions, you need to have a copy of all the Debian
Security Advisories, which is available in the web source repository (at https://salsa.debian.org/webmaster-team/webwml/-/tree/master/english/security ).

Hope the above helps.

Javier

<div dir="ltr"><div dir="ltr"><br></div><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, 17 May 2021 at 19:58, Serkan Özkan <<a href="mailto:serkan@vulniq.com">serkan@vulniq.com</a>> wrote:<br></div><blockquote class="gmail_quote"
style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hello Seb,<div>For some reason I didn't receive your email but saw it on the mailing list archive page.</div><div>OVAL definitions are
important for us and we would like to fix them if possible. Can you please let me know where the code is?</div><div><br></div></div></blockquote><div><br></div><div>Hi Serkan,</div><div><br></div><div>I believe the latest version of the code for the OVAL
definitions generation is in the source code of the website, more specifically in this directory: <a href="https://salsa.debian.org/webmaster-team/webwml/-/blob/master/english/security/oval/generate.py">https://salsa.debian.org/webmaster-team/webwml/-/
blob/master/english/security/oval/generate.py</a>. An older version was the Perl script I developed (at <a href="https://salsa.debian.org/webmaster-team/webwml/-/blob/master/english/security/parse-wml-oval.pl">https://salsa.debian.org/webmaster-team/
webwml/-/blob/master/english/security/parse-wml-oval.pl</a>) which is not functional anymore.</div><div><br></div><div>To generate the definitions, you need to have a copy of all the Debian Security Advisories, which is available in the web source
repository (at <a href="https://salsa.debian.org/webmaster-team/webwml/-/tree/master/english/security">https://salsa.debian.org/webmaster-team/webwml/-/tree/master/english/security</a>).</div><div><br></div><div>Hope the above helps.</div><div><br></div>
<div>Javier</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(
204,204,204);padding-left:1ex"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
</blockquote></div>
</blockquote></div>
</blockquote></div></div>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Who's Online
Recent Visitors
- Bob Worm
  Thu Apr 25 22:17:10 2024
  from Wales, Uk via Telnet
- Keyop
  Thu Apr 25 21:14:50 2024
  from Huddersfield, West Yorkshire via SSH
- Cronus
  Thu Apr 25 18:32:15 2024
  from Provo, Ut via SSH
- Cronus
  Thu Apr 25 18:24:38 2024
  from Provo, Ut via SSH

System Info

Sysop:	Keyop
Location:	Huddersfield, West Yorkshire, UK
Users:	296
Nodes:	16 (2 / 14)
Uptime:	59:51:27
Calls:	6,654
Calls today:	6
Files:	12,200
Messages:	5,331,285

"Version less than 0.0" in OVAL definitions

Who's Online

Recent Visitors

System Info