[Rpm-ecosystem] Format and XML namespace for SWID collection metadata
Jan Pazdziora
jpazdziora at redhat.com
Thu Feb 7 16:26:13 UTC 2019
Hello,
TL;DR: What XML namespace and what XML format to use for collection
of SWID tags, distributed with yum/dnf metadata? I have
format which works and I'd need some final XML namespace
before submitting a tool which creates said SWID tag collections
to Fedora.
I've been working on a tool to generate SWID tags for rpm packages,
both installed and rpm files:
https://github.com/swidtags/rpm2swidtag
https://copr.fedorainfracloud.org/coprs/adelton/swid/
SWID tags are XML files with SoftwareIdentity root element in XML
namespace
http://standards.iso.org/iso/19770/-2/2015/schema.xsd
XML schema of which can be found at
https://standards.iso.org/iso/19770/-2/2015-current/schema.xsd
I'd also like to be able to generate SWID tags for yum/dnf
repositories, giving distributors a way to provide (potentially)
authoritative (per NIST IR 8060) and/or signed SWID tags for their
content. The relevant SWID tags, matching the newly installed or
upgraded packages, would then be put to disk on end machines using
dnf plugin, copied from the repository metadata. A proof of concept
of this functionality is available today in the git sources and the
mechanism works.
To distribute set of SWID tags, I need an XML namespace and schema
which would list packages in the repository like primary metadata
does, and for each package would include potentially multiple SWID
tags. An example of the format that I'm currently using can be seen
at
https://github.com/swidtags/rpm2swidtag/blob/master/tests/repodata-swidtags.xml
which matches XSD
<?xml version="1.0" encoding="utf-8"?>
<xs:schema
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:swid="http://standards.iso.org/iso/19770/-2/2015/schema.xsd"
targetNamespace="http://adelton.fedorapeople.org/rpm2swidtag/metadata-fixme"
elementFormDefault="qualified">
<xs:import namespace="http://standards.iso.org/iso/19770/-2/2015/schema.xsd"
schemaLocation="https://standards.iso.org/iso/19770/-2/2015-current/schema.xsd"/>
<xs:annotation>
<xs:documentation>
Schema for collection of SWID tags in single XML file, to be used in yum/dnf repositories
</xs:documentation>
</xs:annotation>
<xs:element name="metadata">
<xs:complexType>
<xs:sequence>
<xs:element name="package" minOccurs="0" maxOccurs="unbounded">
<xs:complexType>
<xs:sequence>
<xs:element ref="swid:SoftwareIdentity" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="pkgid" type="xs:string" use="required"/>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>
Essentially, the same way primary.xml.gz
<?xml version="1.0" encoding="UTF-8"?>
<metadata xmlns="http://linux.duke.edu/metadata/common" xmlns:rpm="http://linux.duke.edu/metadata/rpm" packages="6">
<package type="rpm">
<name>hello</name>
<arch>i386</arch>
<version epoch="0" ver="1.0" rel="1"/>
<checksum type="sha256" pkgid="YES">7c4f932d7e66cfa3fb2ae756f916527e8ddf48ef8e6e428ac80a3a298a2ab7ab</checksum>
[...]
is matched in filelists.xml.gz with
<?xml version="1.0" encoding="UTF-8"?>
<filelists xmlns="http://linux.duke.edu/metadata/filelists" packages="6">
<package pkgid="7c4f932d7e66cfa3fb2ae756f916527e8ddf48ef8e6e428ac80a3a298a2ab7ab" name="hello" arch="i386">
<version epoch="0" ver="1.0" rel="1"/>
[...]
I'm using the same pkgid value (which happens to be SHA256 of the
whole .rpm file) as a way to match package elements in the SWID tag
collection file to the entries in primary.xml.gz:
<?xml version='1.0' encoding='UTF-8'?>
<metadata xmlns="http://adelton.fedorapeople.org/rpm2swidtag/metadata-fixme">
<package pkgid="7c4f932d7e66cfa3fb2ae756f916527e8ddf48ef8e6e428ac80a3a298a2ab7ab">
<SoftwareIdentity xmlns="http://standards.iso.org/iso/19770/-2/2015/schema.xsd"
[...]
I've left out the @name and @arch attributes and the version EVR
element from the package elements as they seem unnecessary and redundant.
I also currently do not include the @packages attribute at the
top-level element, even if I'd be happy to add it if it is deemed
useful.
Based on the feedback we got to our Fedora 30 change page
https://fedoraproject.org/wiki/Changes/SWID_Tag_Enablement
on the Fedora devel meiling list
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/T5HDVVBVFSDL54AOYHGSVNDCLOJOJCQM/
I'm hence seeking opinions about the suitability of this SWID tag
collection XML format, primarily from the point of view of
compatilibity beyond Fedora/dnf, as well as extendability going forward.
I'm also looking for reasonable XML namespace instead of my current
http://adelton.fedorapeople.org/rpm2swidtag/metadata-fixme
placeholder, ideally one where the XSD file could also be hosted. I wonder
if something like
http://rpm.org/metadata/swidtags
would be appropriate. In the future, we could even host XSDs for the
existing
http://linux.duke.edu/metadata/*
namespaces there.
Thank you for any guidance,
--
Jan Pazdziora
Senior Principal Software Engineer, Security Engineering, Red Hat
More information about the Rpm-ecosystem
mailing list