davidjharder We use a CVE check tool that looks for potentially unpatched CVEs (though it is imperfect). Providing nopatch files means "ignore the CVE with this file name" and is typically used when there either is no patch, or in the case of grub and most other packages when we're using a git source / remote that has a HEAD^ that is at or ahead of when the CVE patches landed. Basically our way of telling the tool "we're smarter than you."
