SWID tag enablement
Summary
Provide tools to allow users and developers to create Software Identity (SWID) tags for Fedora installs and repositories.
Owner
- Name: Jan Pazdziora
- Email: jpazdziora@redhat.com
- Release notes owner:
Current status
- Targeted release: Fedora 30
- Last updated: 2019-04-29
- Tracker bug: #1678454
- Release notes tracker: #302
- Release notes pull requestion: #329
Detailed Description
SWID (ISO/IEC 19770:2-2015) is a portable standard for identifying software installed on a system. We already have SWID tags in fedora-release to identify the overall release+edition of Fedora. We will add tools to allow users to
- list SWID tags present on the system
- create and deploy individual SWID tags identifying RPMs
- add pre-built tags to repositories
- automatically update local tags as packages are installed, updated and removed
This will involve standalone tools to query and build SWID tags and to add prebuilt tags to dnf repositories, and plugin for dnf to build and download tags. Plugin for libdnf is not in scope for Fedora 30.
Benefit to Fedora
Fedora will be usable to users and developers interested in the SWID functionality being added to relevant other tools, such as OpenSCAP-1.3.
Scope
- Proposal owners:
- add python SWID tools (
swidq
,rpm2swidtag
) - add ability to extend createrepo_c output repository metadata with SWID information via
rpm2swidtag --repo
(but this will not be used in Fedora, only enabled for user use), agreeing metadata format with dnf team- guidance also sought at http://lists.rpm.org/pipermail/rpm-ecosystem/2019-February/000711.html
- the XML Schema for the metadata is at http://rpm.org/metadata/swidtags.xsd
- add dnf plugin (no core dnf changes are expected)
- the libdnf plugin is not in scope for Fedora 30.
- add python SWID tools (
- Other developers: N/A (not a System Wide Change)
- Release engineering: #Releng issue number (a check of an impact with Release Engineering is needed)
- List of deliverables: N/A (not a System Wide Change)
- Policies and guidelines: N/A (not a System Wide Change)
- Trademark approval: N/A (not needed for this Change)
Upgrade/compatibility impact
N/A (not a System Wide Change)
How To Test
N/A (not a System Wide Change)
Command rpm2swidtag --primary-only bash
can be used to generate example SWID tag for installed bash
package.
Command swidq -a
can be used to list deployed SWID tags. Out of box, only distro-level SWID tag org.fedoraproject.Fedora-30
and potentially edition SWID tag like org.fedoraproject.Fedora-30-Container
will be listed.
The subpackage dnf-plugin-swidtags
is able to deploy SWID tags distributed in yum/dnf repository metadata. Fedora itself does not distribute the SWID tags but it is possible to generate the SWID tags and metadata using rpm2swidtag --repo /path/to/repository
. It is also possible to uncomment the rpm2swidtag_command = /usr/bin/rpm2swidtag
line in /etc/dnf/plugins/swidtags.conf
and in that case, the SWID tags will be locally generated for every rpm package installed or upgraded via dnf
. The plugin will of course also remove SWID tags for people that got removed during the dnf transaction, either via package removal or when replaced by different package version during upgrade or downgrade.
User Experience
No change unless users choose to enable SWID tags by installing dnf-plugin-swidtags
and potentially uncommenting the rpm2swidtag_command
option. Then at the end of dnf operations, SWID tags will be deployed from the repository metadata, or in the (likely) case that none are available and rpm2swidtag_command
is set pointing rpm2swidtag
, the SWID tags will be generated.
Command swidq
allows the user to see all installed tags, their supplement relationship, and their content.
Dependencies
N/A (not a System Wide Change)
Contingency Plan
- Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
- Contingency deadline: N/A (not a System Wide Change)
- Blocks release? N/A (not a System Wide Change), No
- Blocks product? No
Documentation
N/A (not a System Wide Change)
Release Notes
Inform users of new capabilities and how they can be used with the existing tags in fedora-release-*