Dan Luhring

An alternative solution discussed recently would be to avoid storing tombstones in the advisory data itself, and instead ensure that a **full list** of withdrawn packages exists in the _distro...

Thanks @hectorj2f! IIRC, I hadn't included multiple updates at once when I was designing the tester implementation — but now that we're going to use this more, and especially beyond...

Thanks @tstromberg. This part is in flux right now, apologies for the pain here 😞 . Can you try again without ` -a . -d ../os`?

cc: @kaniini @rawlingsj

@kaniini @rawlingsj @imjasonh Does this need our attention urgently? Or should we keep this on the back burner?

>The go build command now sets the [main module’s version](https://tip.golang.org/pkg/runtime/debug#BuildInfo.Main) in the compiled binary based on the version control system tag and/or commit. A +dirty suffix will be appended if...

I'm wondering if this issue has been largely handled by https://github.com/anchore/syft/pull/3660 (cc: @wagoodman and @westonsteimel), with potentially two cases to note... 1. Since there will be common cases when Go...

> Since there will be common cases when Go is adding the +dirty suffix to the main module version, I'm curious whether that's okay to propagate [...] Yeah I think...

>Yeah I think the +dirty might need attention in matching land? x-ref: https://github.com/anchore/grype/issues/2482