Bug 1703066

Summary: Rebase of swid-tools to include new filename schema for installed SWID tags
Product: [Fedora] Fedora Reporter: Stephen Tweedie <sct>
Component: swid-toolsAssignee: Jan Pazdziora (Red Hat) <jpazdziora>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 30CC: awilliam, bcotton, gmarr, jpazdziora, mboddu, rpm-software-management, sgallagh
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: AcceptedFreezeException
Fixed In Version: swid-tools-0.8.1-1.fc30 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-04-26 22:33:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1574716    

Description Stephen Tweedie 2019-04-25 12:23:47 UTC 
Description of problem:
The SWID dnf plugin will install SWID tags for a package if it finds them appropriately formatted in that package's repo metadata.

In order to be able to robustly remove the correct tags when a package is removed, the latest swid-tools dnf plugin uses the package's own $sha256 as part of the filename, so that it is easy and fast to remove the correct tags, and only those tags, without depending on the content of the tags.  This is more robust and future-proof, and significantly more efficient, than the older mechanism which needed to introspect all tags to find those which belong to a given package.

The primary change we wish to pick up here is

https://github.com/swidtags/rpm2swidtag/commit/7c8a1c237482327902640ea625fbc3e785258f90

We support updating existing installs to the newer tag filenames, but that process must be triggered manually; the user experience will be much cleaner if we include the rebase early and avoid that migration.


Bodhi update for requested release (swid-tools-0.8.1-1.fc30) --- 
https://bodhi.fedoraproject.org/updates/FEDORA-2019-1d9e7f3b5b
Comment 1 Fedora Blocker Bugs Application 2019-04-25 12:28:55 UTC 
Proposed as a Freeze Exception for 30-final by Fedora user sgallagh using the blocker tracking app because:

 This cannot be a blocker because it does not violate any release criteria. However, the issue at hand is that migration from the 0.7.x to 0.8.x (required to harden security on the SWID tags) is non-trivial and fragile. As swid-tools is being introduced for the first time in Fedora 30, it would be best if we didn't have to run a risky migration as part of the 0day updates if someone chooses to install from the frozen repository.

As such, I'd say this constitutes a valid request for a Freeze Exception: it addresses a serious, security-related bug and cannot be safely addressed in all cases with an update.
Comment 2 Ben Cotton 2019-04-25 13:41:28 UTC 
+1 FE
Comment 3 Mohan Boddu 2019-04-25 14:39:35 UTC 
+1 FE
Comment 4 Stephen Gallagher 2019-04-25 14:46:14 UTC 
+1 FE (since I forgot to state it explicitly when proposing this).
Comment 5 Geoffrey Marr 2019-04-25 16:30:50 UTC 
+1 FE
Comment 6 Adam Williamson 2019-04-25 18:17:09 UTC 
Marking as accepted.
Comment 7 Fedora Update System 2019-04-25 19:06:12 UTC 
swid-tools-0.8.1-1.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-1d9e7f3b5b
Comment 8 Fedora Update System 2019-04-26 22:33:22 UTC 
swid-tools-0.8.1-1.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.