pkg-config versions may not align with apk versions

[jonjohnsonjr]

We ran into this with bash-dev which has:

curl -sL https://packages.wolfi.dev/os/aarch64/bash-dev-5.2.21-r1.apk | tar -Oxz usr/lib/pkgconfig/bash.pc | grep Version
Version: 5.2-release

Which makes apk add fail (but for some reason only with a local .apk???) which means we can't bump bash in wolfi.

We kind of try to do this with https://github.com/chainguard-dev/melange/blob/0a50317b8fe3d7fd4c3cd6cdcb658752a6f992d5/pkg/sca/sca.go#L387 but that only works for suffixes that also happen to be valid apk suffixes.

I'm not sure how we want to handle this, maybe we just ignore versions that aren't valid? Do we try to trim suffixes until it's a valid version? Who knows.

[xnox]

IMHO the version for pc that we put in APK metadata should be the package metadata, not contents of pc Version.

Whilst it feels like the soname, it really isn't.

[kaniini]

Yeah I agree, it was a mistake to do this in abuild, too. I think we should push to just change it to $pkgver everywhere.