[Rpm-ecosystem] Format and XML namespace for SWID collection metadata
Neal Gompa
ngompa13 at gmail.com
Mon Feb 18 17:14:43 UTC 2019
On Thu, Feb 7, 2019 at 11:26 AM Jan Pazdziora <jpazdziora at redhat.com> wrote:
>
>
> Hello,
>
> TL;DR: What XML namespace and what XML format to use for collection
> of SWID tags, distributed with yum/dnf metadata? I have
> format which works and I'd need some final XML namespace
> before submitting a tool which creates said SWID tag collections
> to Fedora.
>
> I've been working on a tool to generate SWID tags for rpm packages,
> both installed and rpm files:
>
> https://github.com/swidtags/rpm2swidtag
> https://copr.fedorainfracloud.org/coprs/adelton/swid/
>
> SWID tags are XML files with SoftwareIdentity root element in XML
> namespace
>
> http://standards.iso.org/iso/19770/-2/2015/schema.xsd
>
> XML schema of which can be found at
>
> https://standards.iso.org/iso/19770/-2/2015-current/schema.xsd
>
> I'd also like to be able to generate SWID tags for yum/dnf
> repositories, giving distributors a way to provide (potentially)
> authoritative (per NIST IR 8060) and/or signed SWID tags for their
> content. The relevant SWID tags, matching the newly installed or
> upgraded packages, would then be put to disk on end machines using
> dnf plugin, copied from the repository metadata. A proof of concept
> of this functionality is available today in the git sources and the
> mechanism works.
This looks mostly fine, but this _really_ should be integrated into
librepo and libdnf rather than being a dnf plugin. Otherwise not
everything will have the ability to access it.
>
> To distribute set of SWID tags, I need an XML namespace and schema
> which would list packages in the repository like primary metadata
> does, and for each package would include potentially multiple SWID
> tags. An example of the format that I'm currently using can be seen
> at
>
> https://github.com/swidtags/rpm2swidtag/blob/master/tests/repodata-swidtags.xml
>
> which matches XSD
>
> <?xml version="1.0" encoding="utf-8"?>
> <xs:schema
> xmlns:xs="http://www.w3.org/2001/XMLSchema"
> xmlns:swid="http://standards.iso.org/iso/19770/-2/2015/schema.xsd"
> targetNamespace="http://adelton.fedorapeople.org/rpm2swidtag/metadata-fixme"
> elementFormDefault="qualified">
> <xs:import namespace="http://standards.iso.org/iso/19770/-2/2015/schema.xsd"
> schemaLocation="https://standards.iso.org/iso/19770/-2/2015-current/schema.xsd"/>
> <xs:annotation>
> <xs:documentation>
> Schema for collection of SWID tags in single XML file, to be used in yum/dnf repositories
> </xs:documentation>
> </xs:annotation>
> <xs:element name="metadata">
> <xs:complexType>
> <xs:sequence>
> <xs:element name="package" minOccurs="0" maxOccurs="unbounded">
> <xs:complexType>
> <xs:sequence>
> <xs:element ref="swid:SoftwareIdentity" minOccurs="0" maxOccurs="unbounded"/>
> </xs:sequence>
> <xs:attribute name="pkgid" type="xs:string" use="required"/>
> </xs:complexType>
> </xs:element>
> </xs:sequence>
> </xs:complexType>
> </xs:element>
> </xs:schema>
>
> Essentially, the same way primary.xml.gz
>
> <?xml version="1.0" encoding="UTF-8"?>
> <metadata xmlns="http://linux.duke.edu/metadata/common" xmlns:rpm="http://linux.duke.edu/metadata/rpm" packages="6">
> <package type="rpm">
> <name>hello</name>
> <arch>i386</arch>
> <version epoch="0" ver="1.0" rel="1"/>
> <checksum type="sha256" pkgid="YES">7c4f932d7e66cfa3fb2ae756f916527e8ddf48ef8e6e428ac80a3a298a2ab7ab</checksum>
> [...]
>
> is matched in filelists.xml.gz with
>
> <?xml version="1.0" encoding="UTF-8"?>
> <filelists xmlns="http://linux.duke.edu/metadata/filelists" packages="6">
> <package pkgid="7c4f932d7e66cfa3fb2ae756f916527e8ddf48ef8e6e428ac80a3a298a2ab7ab" name="hello" arch="i386">
> <version epoch="0" ver="1.0" rel="1"/>
> [...]
>
> I'm using the same pkgid value (which happens to be SHA256 of the
> whole .rpm file) as a way to match package elements in the SWID tag
> collection file to the entries in primary.xml.gz:
>
> <?xml version='1.0' encoding='UTF-8'?>
> <metadata xmlns="http://adelton.fedorapeople.org/rpm2swidtag/metadata-fixme">
> <package pkgid="7c4f932d7e66cfa3fb2ae756f916527e8ddf48ef8e6e428ac80a3a298a2ab7ab">
> <SoftwareIdentity xmlns="http://standards.iso.org/iso/19770/-2/2015/schema.xsd"
> [...]
>
> I've left out the @name and @arch attributes and the version EVR
> element from the package elements as they seem unnecessary and redundant.
> I also currently do not include the @packages attribute at the
> top-level element, even if I'd be happy to add it if it is deemed
> useful.
>
I'm not too sure here. Not having those attributes makes it hard to
read the document as a standalone piece of metadata. And I'd rather it
be possible to consider it as a document that can be mapped and merged
into primary.xml as others are.
> Based on the feedback we got to our Fedora 30 change page
>
> https://fedoraproject.org/wiki/Changes/SWID_Tag_Enablement
>
> on the Fedora devel meiling list
>
> https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/T5HDVVBVFSDL54AOYHGSVNDCLOJOJCQM/
>
> I'm hence seeking opinions about the suitability of this SWID tag
> collection XML format, primarily from the point of view of
> compatilibity beyond Fedora/dnf, as well as extendability going forward.
>
> I'm also looking for reasonable XML namespace instead of my current
>
> http://adelton.fedorapeople.org/rpm2swidtag/metadata-fixme
>
> placeholder, ideally one where the XSD file could also be hosted. I wonder
> if something like
>
> http://rpm.org/metadata/swidtags
>
> would be appropriate. In the future, we could even host XSDs for the
> existing
>
> http://linux.duke.edu/metadata/*
>
> namespaces there.
>
It's on my TODO to collect all the schema documents for rpm-md and
host them in one place. My plan is to get that all in one place and
set up something that would like you browse the schema for the main
stuff and valid extensions.
I wish we could recover the old site from Duke University, though...
--
真実はいつも一つ!/ Always, there's only one truth!
More information about the Rpm-ecosystem
mailing list