Hank Donnay

Why not mandate a uniform tag policy that specifies RPM semantics? Or add this information into the layer itself? Or use CPEs correctly? Additional state needed to interpret layers sucks...

Updated the title to reflect the issue better, and closing to indicate we won't be doing this.

@crozzy regarding the big-boy "add new package" commit: any opinion on how to split it up? I was thinking the common code and associated tests in a few commits, then...

I think is is good to get reviewed. I think the tests need a later pass to work through the `Sequence Scan` test.

No; if you want to look at OSV, that's over in the [osv package](https://github.com/quay/claircore/blob/88a418678f24255f02d6ba27de6dbe3b475d368d/updater/osv/osv.go#L486).

Yes, if the version contains non-numeric components it can't get normalized into claircore's range type. It should still be encoded in the "FixedInVersion".

I'm not sure what you're saying, here. I would expect the information persisted into the database to not have a `vulnerable_range` column populated because one of the versions has a...

ah, you're comparing across an `ECOSYSTEM` range and a `SEMVER` range. In the first example, it looks like there might be a bug where the maven package reports that it's...

This uses the mean, but probably shouldn't. Something like a running median would be better, but would require an indexed skip list implementation.

Want me to push this over the finish line?