[Rpm-ecosystem] Format and XML namespace for SWID collection metadata

Jan Pazdziora jpazdziora at redhat.com
Thu Feb 7 16:26:13 UTC 2019 

Hello,

TL;DR: What XML namespace and what XML format to use for collection
	of SWID tags, distributed with yum/dnf metadata? I have
	format which works and I'd need some final XML namespace
	before submitting a tool which creates said SWID tag collections
	to Fedora.

I've been working on a tool to generate SWID tags for rpm packages,
both installed and rpm files:

	https://github.com/swidtags/rpm2swidtag
	https://copr.fedorainfracloud.org/coprs/adelton/swid/

SWID tags are XML files with SoftwareIdentity root element in XML
namespace

	http://standards.iso.org/iso/19770/-2/2015/schema.xsd

XML schema of which can be found at

	https://standards.iso.org/iso/19770/-2/2015-current/schema.xsd

I'd also like to be able to generate SWID tags for yum/dnf
repositories, giving distributors a way to provide (potentially)
authoritative (per NIST IR 8060) and/or signed SWID tags for their
content. The relevant SWID tags, matching the newly installed or
upgraded packages, would then be put to disk on end machines using
dnf plugin, copied from the repository metadata. A proof of concept
of this functionality is available today in the git sources and the
mechanism works.

To distribute set of SWID tags, I need an XML namespace and schema
which would list packages in the repository like primary metadata
does, and for each package would include potentially multiple SWID
tags. An example of the format that I'm currently using can be seen
at

	https://github.com/swidtags/rpm2swidtag/blob/master/tests/repodata-swidtags.xml

which matches XSD

<?xml version="1.0" encoding="utf-8"?>
<xs:schema
  xmlns:xs="http://www.w3.org/2001/XMLSchema"
  xmlns:swid="http://standards.iso.org/iso/19770/-2/2015/schema.xsd"
  targetNamespace="http://adelton.fedorapeople.org/rpm2swidtag/metadata-fixme"
  elementFormDefault="qualified">
  <xs:import namespace="http://standards.iso.org/iso/19770/-2/2015/schema.xsd"
    schemaLocation="https://standards.iso.org/iso/19770/-2/2015-current/schema.xsd"/>
  <xs:annotation>
    <xs:documentation>
      Schema for collection of SWID tags in single XML file, to be used in yum/dnf repositories
    </xs:documentation>
  </xs:annotation>
  <xs:element name="metadata">
    <xs:complexType>
      <xs:sequence>
        <xs:element name="package" minOccurs="0" maxOccurs="unbounded">
          <xs:complexType>
            <xs:sequence>
              <xs:element ref="swid:SoftwareIdentity" minOccurs="0" maxOccurs="unbounded"/>
            </xs:sequence>
            <xs:attribute name="pkgid" type="xs:string" use="required"/>
          </xs:complexType>
        </xs:element>
      </xs:sequence>
    </xs:complexType>
  </xs:element>
</xs:schema>

Essentially, the same way primary.xml.gz

<?xml version="1.0" encoding="UTF-8"?>
<metadata xmlns="http://linux.duke.edu/metadata/common" xmlns:rpm="http://linux.duke.edu/metadata/rpm" packages="6">
<package type="rpm">
  <name>hello</name>
  <arch>i386</arch>
  <version epoch="0" ver="1.0" rel="1"/>
  <checksum type="sha256" pkgid="YES">7c4f932d7e66cfa3fb2ae756f916527e8ddf48ef8e6e428ac80a3a298a2ab7ab</checksum>
[...]

is matched in filelists.xml.gz with

<?xml version="1.0" encoding="UTF-8"?>
<filelists xmlns="http://linux.duke.edu/metadata/filelists" packages="6">
<package pkgid="7c4f932d7e66cfa3fb2ae756f916527e8ddf48ef8e6e428ac80a3a298a2ab7ab" name="hello" arch="i386">
  <version epoch="0" ver="1.0" rel="1"/>
[...]

I'm using the same pkgid value (which happens to be SHA256 of the
whole .rpm file) as a way to match package elements in the SWID tag
collection file to the entries in primary.xml.gz:

<?xml version='1.0' encoding='UTF-8'?>
<metadata xmlns="http://adelton.fedorapeople.org/rpm2swidtag/metadata-fixme">
  <package pkgid="7c4f932d7e66cfa3fb2ae756f916527e8ddf48ef8e6e428ac80a3a298a2ab7ab">
    <SoftwareIdentity xmlns="http://standards.iso.org/iso/19770/-2/2015/schema.xsd" 
[...]

I've left out the @name and @arch attributes and the version EVR
element from the package elements as they seem unnecessary and redundant.
I also currently do not include the @packages attribute at the
top-level element, even if I'd be happy to add it if it is deemed
useful.

Based on the feedback we got to our Fedora 30 change page

	https://fedoraproject.org/wiki/Changes/SWID_Tag_Enablement

on the Fedora devel meiling list

	https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/T5HDVVBVFSDL54AOYHGSVNDCLOJOJCQM/

I'm hence seeking opinions about the suitability of this SWID tag
collection XML format, primarily from the point of view of
compatilibity beyond Fedora/dnf, as well as extendability going forward.

I'm also looking for reasonable XML namespace instead of my current

	http://adelton.fedorapeople.org/rpm2swidtag/metadata-fixme

placeholder, ideally one where the XSD file could also be hosted. I wonder
if something like

	http://rpm.org/metadata/swidtags

would be appropriate. In the future, we could even host XSDs for the
existing

	http://linux.duke.edu/metadata/*

namespaces there.

Thank you for any guidance,

-- 
Jan Pazdziora
Senior Principal Software Engineer, Security Engineering, Red Hat

More information about the Rpm-ecosystem mailing list