[18:40] <teward> sec team, assuming you would know more about the answer(s) here: https://askubuntu.com/questions/1377027/security-oval-files-seem-to-give-false-positives
[18:40] <teward> RE the OVAL files for sec vulns
[18:46] <TJ-> looks more like the USN just doesn't list the affected binaries correctly; the linked names are to source packages so there is a disjoint between binary and source
[18:49] <teward> *lets TJ or others write an answer*
[22:56] <amurray> teward: source packages can produce multiple binary packages so when we publish USNs we hand-whittle down the list of binary packages which we mention in the USN to those which we believe to be actually affected (ie in this case since the vuln is in the mysql server we only mention this binary package in the USN, not the client libs)
[22:58] <amurray> but for completeness, the OVAL contains all binary packages which come from the source package - since some customers are quite cautious about this sort of thing and so we then err on the side of caution for this
[22:59] <amurray> as such the OVAL can give potential false positives but since the 'whittling down' which I mentioned above is best-effort, to be completely sure, it is better to install all update to all the binary packages from a given USN rather than mixing and matching (also this then helps avoid issues like having client libs of one version being incompatible with the server of another)
[23:01] <amurray> oh I see sarnold just responded on the original askubuntu question - thanks :)
[23:01] <sarnold> :D
[23:01] <sarnold> it's reassuring to see many of the same points in your answer, hehe
[23:01] <amurray> yup - phew :)
[23:02] <sarnold> it's funny, I started the answer iwth "Hello Phil, we try to trim.." and something in their system stripped off the greeting but didn't fix up my capitalization for me, so it looked like I posted "we try to trim...". Not a fan. It also kept my 'Thanks' at the end, which feels odd to strip a greeting but keep the parting..
[23:03] <sarnold> at least the edit done quickly enough didn't mar the post with an "(edited)" thing for eternity. I'm not a fan of that :)