Dimitri John Ledkov

Landing https://github.com/chainguard-dev/melange/pull/1622 first may make implementing this request easier.

@smoser if there is more than one provider of shared library, even today we must specify explicit dep on the runtime package name. Like for example today we compile against...

> This is basically a P0 because it is a remediation item from the curl incident... correct? We are racy. As we do continuous publication of .APK and app.apk can...

> Surely this is a race that can be solved on the server side with locks and > atomic operations, flipping symlinks, no? Most distributions indeed do atomic pushes =>...

> > It would help a lot if libcrypto3 package had `provides = so:libcrypto.so.3=3.3.1-r4`, and for each of `openssl~3.N` packages had `depends = so:libcrypto.so.3>=3.N` as then `openssl~3.4` would have not...

In general, this proposal does not address how to change between two implementations, with different versioning schemes, of the same soname ABI. As in switch from zlib to zlib-ng or...

> I would be worried about changing the api of this function. Some applications might rely on the null value. I don't know if it makes sense to include a...

I'll double check again, but there are no indicator provisions for this as far as I can tell, even for any legacy use. Just automatic reject of submission. Similar to...

re-reading ISO standard, it seems like adding indicators never hurts, even if error is always returned/enforced. Will add indicator.

> This doesnt seem to correspond to what SP800-131Ar2 (Table 4) says in relation to DH. DH relates to SP800-56A not FIPS 186-4.. (This stuff is so confusing). So SP800-131Ar2...