[Rpm-ecosystem] Format and XML namespace for SWID collection metadata

Wed Feb 20 16:40:07 UTC 2019

On Mon, Feb 18, 2019 at 12:14:43PM -0500, Neal Gompa wrote:
> >
> > I'd also like to be able to generate SWID tags for yum/dnf
> > repositories, giving distributors a way to provide (potentially)
> > authoritative (per NIST IR 8060) and/or signed SWID tags for their
> > content. The relevant SWID tags, matching the newly installed or
> > upgraded packages, would then be put to disk on end machines using
> > dnf plugin, copied from the repository metadata. A proof of concept
> > of this functionality is available today in the git sources and the
> > mechanism works.
> 
> This looks mostly fine, but this _really_ should be integrated into
> librepo and libdnf rather than being a dnf plugin. Otherwise not
> everything will have the ability to access it.

We are aware that the same functionality will need to be provided as
libdnf plugin, and at the same time doing just the libdnf plugin won't
be enough to get the support in dnf.

However, supporting the non-dnf workflows (== the libdnf plutin) is not
in scope of Fedora 30 at this point.

When you say "integrated into librepo and libdnf", do you envision
something more integrated than libdnf plugin?

> > I'm using the same pkgid value (which happens to be SHA256 of the
> > whole .rpm file) as a way to match package elements in the SWID tag
> > collection file to the entries in primary.xml.gz:
> >
> > <?xml version='1.0' encoding='UTF-8'?>
> > <metadata xmlns="http://adelton.fedorapeople.org/rpm2swidtag/metadata-fixme">
> >   <package pkgid="7c4f932d7e66cfa3fb2ae756f916527e8ddf48ef8e6e428ac80a3a298a2ab7ab">
> >     <SoftwareIdentity xmlns="http://standards.iso.org/iso/19770/-2/2015/schema.xsd"
> > [...]
> >
> > I've left out the @name and @arch attributes and the version EVR
> > element from the package elements as they seem unnecessary and redundant.
> > I also currently do not include the @packages attribute at the
> > top-level element, even if I'd be happy to add it if it is deemed
> > useful.
> 
> I'm not too sure here. Not having those attributes makes it hard to
> read the document as a standalone piece of metadata.

The NEVRA of the rpm package is in the SWID tag (that SoftwareIdentity
element and its children), so it is possible to make sense of what the
document is about from those values.

> And I'd rather it
> be possible to consider it as a document that can be mapped and merged
> into primary.xml as others are.

That's exactly what we try to do with the pkgid attribute, which
matches the checksum pkgid="YES" value. Is there a software around
which for the purpose of that logical merge operation relies on the
name and arch attributes and the EVR of version element, rather than
the pkgid attribute?

> > I'm also looking for reasonable XML namespace instead of my current
> >
> >         http://adelton.fedorapeople.org/rpm2swidtag/metadata-fixme
> >
> > placeholder, ideally one where the XSD file could also be hosted. I wonder
> > if something like
> >
> >         http://rpm.org/metadata/swidtags
> >
> > would be appropriate. In the future, we could even host XSDs for the
> > existing
> >
> >         http://linux.duke.edu/metadata/*
> >
> > namespaces there.
> >
> 
> It's on my TODO to collect all the schema documents for rpm-md and
> host them in one place. My plan is to get that all in one place and
> set up something that would like you browse the schema for the main
> stuff and valid extensions.

The XSD for the SWID tag list is now live at

	http://rpm.org/metadata/swidtags.xsd

> I wish we could recover the old site from Duke University, though...

Did the XSDs ever existed there? Checking Wayback Machine, I'm getting
302 + 404 at all the history points.

-- 
Jan Pazdziora
Senior Principal Software Engineer, Security Engineering, Red Hat