Re: binary pkg "variants" ? [was: Re: Package split or package options?]

[Anthony Mallet <anthony.mallet%laas.fr@localhost>]

On Sunday, at 13:54, Tim Zingelman wrote:
| I am concerned about how this will affect our ability to correctly
| produce patterns for the pkg-vulnerabilities file (used by
| audit-packages.)
| We too often have a hard time getting all the patterns right, and
| unless I misunderstand how this change to package names and new
| matching will work this will make things significantly harder.
| Perhaps an example will help me understand... If a package has 6
| possible non-mutually exclusive options, 2 of which are default and
| there is a vulnerability in the base package (with or without options)
| how do we specify a pattern?  To be more concrete lets say the
| vulnerability is found in versions of pkgname starting with version 4
| and is fixed in pkgname-4.3.2nb1, and lets call the options aaa, bbb,
| ccc, ddd, eee & fff, with bbb & fff being default options.  Prior to
| these proposed changes we would use the pattern pkgname>=4<4.3.2nb1
| I appreciate any assistance you can provide in helping me understand
| the fine details here.

Well, if the options don't affect the vulnerability, pkgname>=4<4.3.2nb1 would
work just fine and match all packages in the version range whatever their
option.

But it the vulnerability is, say, only in option aaa (no matter if it's a
default option or not), then the vulnerable packages would be
pkgname>=4<4.3.2nb1~aaa

And if the vulnerability is instead present with all options but option bbb,
then then the vulnerable packages would be
pkgname>=4<4.3.2nb1~!bbb

('!' representing 'not', but it could be ^ as well or whatever char that is
deemed appropriate)