1703066 – Rebase of swid-tools to include new filename schema for installed SWID tags

Bug 1703066 - Rebase of swid-tools to include new filename schema for installed SWID tags

Summary: Rebase of swid-tools to include new filename schema for installed SWID tags

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	swid-tools
Sub Component:
Version:	30
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Jan Pazdziora (Red Hat)
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	AcceptedFreezeException
Depends On:
Blocks:	F30FinalFreezeException
TreeView+	depends on / blocked

Reported:	2019-04-25 12:23 UTC by Stephen Tweedie
Modified:	2019-04-26 22:33 UTC (History)
CC List:	7 users (show)
Fixed In Version:	swid-tools-0.8.1-1.fc30
Clone Of:
Environment:
Last Closed:	2019-04-26 22:33:22 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Stephen Tweedie 2019-04-25 12:23:47 UTC

Description of problem:
The SWID dnf plugin will install SWID tags for a package if it finds them appropriately formatted in that package's repo metadata.

In order to be able to robustly remove the correct tags when a package is removed, the latest swid-tools dnf plugin uses the package's own $sha256 as part of the filename, so that it is easy and fast to remove the correct tags, and only those tags, without depending on the content of the tags.  This is more robust and future-proof, and significantly more efficient, than the older mechanism which needed to introspect all tags to find those which belong to a given package.

The primary change we wish to pick up here is

https://github.com/swidtags/rpm2swidtag/commit/7c8a1c237482327902640ea625fbc3e785258f90

We support updating existing installs to the newer tag filenames, but that process must be triggered manually; the user experience will be much cleaner if we include the rebase early and avoid that migration.


Bodhi update for requested release (swid-tools-0.8.1-1.fc30) --- 
https://bodhi.fedoraproject.org/updates/FEDORA-2019-1d9e7f3b5b

Comment 1 Fedora Blocker Bugs Application 2019-04-25 12:28:55 UTC

Proposed as a Freeze Exception for 30-final by Fedora user sgallagh using the blocker tracking app because:

 This cannot be a blocker because it does not violate any release criteria. However, the issue at hand is that migration from the 0.7.x to 0.8.x (required to harden security on the SWID tags) is non-trivial and fragile. As swid-tools is being introduced for the first time in Fedora 30, it would be best if we didn't have to run a risky migration as part of the 0day updates if someone chooses to install from the frozen repository.

As such, I'd say this constitutes a valid request for a Freeze Exception: it addresses a serious, security-related bug and cannot be safely addressed in all cases with an update.

Comment 2 Ben Cotton 2019-04-25 13:41:28 UTC

+1 FE

Comment 3 Mohan Boddu 2019-04-25 14:39:35 UTC

+1 FE

Comment 4 Stephen Gallagher 2019-04-25 14:46:14 UTC

+1 FE (since I forgot to state it explicitly when proposing this).

Comment 5 Geoffrey Marr 2019-04-25 16:30:50 UTC

+1 FE

Comment 6 Adam Williamson 2019-04-25 18:17:09 UTC

Marking as accepted.

Comment 7 Fedora Update System 2019-04-25 19:06:12 UTC

swid-tools-0.8.1-1.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-1d9e7f3b5b

Comment 8 Fedora Update System 2019-04-26 22:33:22 UTC

swid-tools-0.8.1-1.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.