Hank Donnay

Going to re-draft this until after #1061 and the subsequent Scanner touching to be able to avoid all of the call-side rewrites that are currently in this PR.

#1061 and #1105 addressed the ergonomics of this API change, so I think this is good to get reviewed.

Can probably hack this into the current stuff; the real fix is a system-wide data store for this sort of garbage.

👋 We'd need to know what package manager is used and how/if it's different from other uses, and where the security advisories are published and in what format.

I think the steps to take are: - [ ] Split the `apk` indexer out of the `alpine` package - [ ] Modularize the `alpine` Updater machinery and create an...

I suspect this is because of claircore's (poor) heuristic for matching packages to repositories. I think claircore would need to interrogate dnf/yum databases to get this information.

Maybe? But those files are put there by the Red Hat build system, so putting something there in a "downstream" build would be contra the intended use.

`Rpm` doesn't take note of this information. So, as I said, there's a heuristic there.

See also [PROJQUAY-5185](https://issues.redhat.com/browse/PROJQUAY-5185).

Thank you so much for doing that. That's very heartening, I'll keep plugging away at it.