Hello, In theory, from version number numbering point of view only, yes less than 0.0 is valid. But in practice, as they are used in Debian OVAL definitions, I don't think they are. I think these state values might be incorrect, probably unintentionally. And there are many, thousands, of these less than 0.0 versions, I don't think they are actually intended to test for pre version 0 releases. For example, who could be using a pre version 0 release of glibc?
<dpkginfo_test check="all" check_existence="at_least_one_exists" comment="glibc is earlier than 0" id="oval:org.debian.oval:tst:22102" version="1" xmlns=" http://oval.mitre.org/XMLSchema/oval-definitions-5#linux";> <object object_ref="oval:org.debian.oval:obj:3"/> <state state_ref="oval:org.debian.oval:ste:14418"/> </dpkginfo_test> ... <dpkginfo_test check="all" check_existence="at_least_one_exists" comment="golang-1.11 is earlier than 0" id="oval:org.debian.oval:tst:22067" version="1" xmlns=" http://oval.mitre.org/XMLSchema/oval-definitions-5#linux";> <object object_ref="oval:org.debian.oval:obj:2202"/> <state state_ref="oval:org.debian.oval:ste:14410"/> </dpkginfo_test> ... <dpkginfo_test check="all" check_existence="at_least_one_exists" comment="rustc is earlier than 0" id="oval:org.debian.oval:tst:22068" version="1" xmlns=" http://oval.mitre.org/XMLSchema/oval-definitions-5#linux";> <object object_ref="oval:org.debian.oval:obj:1670"/> <state state_ref="oval:org.debian.oval:ste:14410"/> </dpkginfo_test> ... <dpkginfo_test check="all" check_existence="at_least_one_exists" comment="sqlcipher is earlier than 0" id="oval:org.debian.oval:tst:22069" version="1" xmlns=" http://oval.mitre.org/XMLSchema/oval-definitions-5#linux";> <object object_ref="oval:org.debian.oval:obj:2614"/> <state state_ref="oval:org.debian.oval:ste:14410"/> </dpkginfo_test> On Mon, 17 May 2021 at 09:40, Holger Levsen <hol...@layer-acht.org> wrote: > On Sun, May 16, 2021 at 05:21:50PM +0300, Serkan Özkan wrote: > > We are using Debian OVAL definitions but there are many tests, and > states, > > that test for dpkg versions being less than 0.0 which is impossible in > > practice (right?). > > no, it's possible: > > 0~1 is a valid version. It's smaller than zero, yet it's not a negative > number. > > It's usually used for versions like 1.0~0alpha1-1 to allow the next > version to be 1.0-1... but 0~1 is a legal and valid version too. > > > -- > cheers, > Holger > > ⢀⣴⠾⠻⢶⣦⠀ > ⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org > ⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C > ⠈⠳⣄ > > I'm looking forward to Corona being a beer again and Donald a duck. >
