melange icon indicating copy to clipboard operation
melange copied to clipboard
verified publisher icon chainguard-dev

pkg-config versions may not align with apk versions

Open jonjohnsonjr opened this issue 1 year ago • 2 comments

We ran into this with bash-dev which has:

curl -sL https://packages.wolfi.dev/os/aarch64/bash-dev-5.2.21-r1.apk | tar -Oxz usr/lib/pkgconfig/bash.pc | grep Version
Version: 5.2-release

Which makes apk add fail (but for some reason only with a local .apk???) which means we can't bump bash in wolfi.

We kind of try to do this with https://github.com/chainguard-dev/melange/blob/0a50317b8fe3d7fd4c3cd6cdcb658752a6f992d5/pkg/sca/sca.go#L387 but that only works for suffixes that also happen to be valid apk suffixes.

I'm not sure how we want to handle this, maybe we just ignore versions that aren't valid? Do we try to trim suffixes until it's a valid version? Who knows.

jonjohnsonjr avatar Apr 24 '24 19:04 jonjohnsonjr

IMHO the version for pc that we put in APK metadata should be the package metadata, not contents of pc Version.

Whilst it feels like the soname, it really isn't.

xnox avatar Apr 25 '24 00:04 xnox

Yeah I agree, it was a mistake to do this in abuild, too. I think we should push to just change it to $pkgver everywhere.

kaniini avatar May 15 '24 18:05 kaniini