Description of problem:
The SWID dnf plugin will install SWID tags for a package if it finds them appropriately formatted in that package's repo metadata.
In order to be able to robustly remove the correct tags when a package is removed, the latest swid-tools dnf plugin uses the package's own $sha256 as part of the filename, so that it is easy and fast to remove the correct tags, and only those tags, without depending on the content of the tags. This is more robust and future-proof, and significantly more efficient, than the older mechanism which needed to introspect all tags to find those which belong to a given package.
The primary change we wish to pick up here is
We support updating existing installs to the newer tag filenames, but that process must be triggered manually; the user experience will be much cleaner if we include the rebase early and avoid that migration.
Bodhi update for requested release (swid-tools-0.8.1-1.fc30) ---
Proposed as a Freeze Exception for 30-final by Fedora user sgallagh using the blocker tracking app because:
This cannot be a blocker because it does not violate any release criteria. However, the issue at hand is that migration from the 0.7.x to 0.8.x (required to harden security on the SWID tags) is non-trivial and fragile. As swid-tools is being introduced for the first time in Fedora 30, it would be best if we didn't have to run a risky migration as part of the 0day updates if someone chooses to install from the frozen repository.
As such, I'd say this constitutes a valid request for a Freeze Exception: it addresses a serious, security-related bug and cannot be safely addressed in all cases with an update.
+1 FE (since I forgot to state it explicitly when proposing this).
Marking as accepted.
swid-tools-0.8.1-1.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-1d9e7f3b5b
swid-tools-0.8.1-1.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.