Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1703066 - Rebase of swid-tools to include new filename schema for installed SWID tags
Summary: Rebase of swid-tools to include new filename schema for installed SWID tags
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: swid-tools
Version: 30
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Jan Pazdziora
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: AcceptedFreezeException
Depends On:
Blocks: F30FinalFreezeException
TreeView+ depends on / blocked
 
Reported: 2019-04-25 12:23 UTC by Stephen Tweedie
Modified: 2019-04-26 22:33 UTC (History)
7 users (show)

Fixed In Version: swid-tools-0.8.1-1.fc30
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-04-26 22:33:22 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Stephen Tweedie 2019-04-25 12:23:47 UTC 
Description of problem:
The SWID dnf plugin will install SWID tags for a package if it finds them appropriately formatted in that package's repo metadata.

In order to be able to robustly remove the correct tags when a package is removed, the latest swid-tools dnf plugin uses the package's own $sha256 as part of the filename, so that it is easy and fast to remove the correct tags, and only those tags, without depending on the content of the tags.  This is more robust and future-proof, and significantly more efficient, than the older mechanism which needed to introspect all tags to find those which belong to a given package.

The primary change we wish to pick up here is

https://github.com/swidtags/rpm2swidtag/commit/7c8a1c237482327902640ea625fbc3e785258f90

We support updating existing installs to the newer tag filenames, but that process must be triggered manually; the user experience will be much cleaner if we include the rebase early and avoid that migration.


Bodhi update for requested release (swid-tools-0.8.1-1.fc30) --- 
https://bodhi.fedoraproject.org/updates/FEDORA-2019-1d9e7f3b5b
Comment 1 Fedora Blocker Bugs Application 2019-04-25 12:28:55 UTC 
Proposed as a Freeze Exception for 30-final by Fedora user sgallagh using the blocker tracking app because:

 This cannot be a blocker because it does not violate any release criteria. However, the issue at hand is that migration from the 0.7.x to 0.8.x (required to harden security on the SWID tags) is non-trivial and fragile. As swid-tools is being introduced for the first time in Fedora 30, it would be best if we didn't have to run a risky migration as part of the 0day updates if someone chooses to install from the frozen repository.

As such, I'd say this constitutes a valid request for a Freeze Exception: it addresses a serious, security-related bug and cannot be safely addressed in all cases with an update.
Comment 2 Ben Cotton 2019-04-25 13:41:28 UTC 
+1 FE
Comment 3 Mohan Boddu 2019-04-25 14:39:35 UTC 
+1 FE
Comment 4 Stephen Gallagher 2019-04-25 14:46:14 UTC 
+1 FE (since I forgot to state it explicitly when proposing this).
Comment 5 Geoffrey Marr 2019-04-25 16:30:50 UTC 
+1 FE
Comment 6 Adam Williamson 2019-04-25 18:17:09 UTC 
Marking as accepted.
Comment 7 Fedora Update System 2019-04-25 19:06:12 UTC 
swid-tools-0.8.1-1.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-1d9e7f3b5b
Comment 8 Fedora Update System 2019-04-26 22:33:22 UTC 
swid-tools-0.8.1-1.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.