From Fedora Project Wiki

Revision as of 08:59, 29 April 2019 by Adelton (talk | contribs) (Release notes pull request link)

SWID tag enablement

Summary

Provide tools to allow users and developers to create Software Identity (SWID) tags for Fedora installs and repositories.

Owner

  • Name: Jan Pazdziora
  • Email: jpazdziora@redhat.com
  • Release notes owner:

Current status

  • Targeted release: Fedora 30
  • Last updated: 2019-04-29
  • Tracker bug: #1678454
  • Release notes tracker: #302
    • Release notes pull requestion: #329

Detailed Description

SWID (ISO/IEC 19770:2-2015) is a portable standard for identifying software installed on a system. We already have SWID tags in fedora-release to identify the overall release+edition of Fedora. We will add tools to allow users to

  • list SWID tags present on the system
  • create and deploy individual SWID tags identifying RPMs
  • add pre-built tags to repositories
  • automatically update local tags as packages are installed, updated and removed

This will involve standalone tools to query and build SWID tags and to add prebuilt tags to dnf repositories, and plugin for dnf to build and download tags. Plugin for libdnf is not in scope for Fedora 30.

Benefit to Fedora

Fedora will be usable to users and developers interested in the SWID functionality being added to relevant other tools, such as OpenSCAP-1.3.

Scope

  • Proposal owners:
  • Other developers: N/A (not a System Wide Change)
  • Policies and guidelines: N/A (not a System Wide Change)
  • Trademark approval: N/A (not needed for this Change)

Upgrade/compatibility impact

N/A (not a System Wide Change)

How To Test

N/A (not a System Wide Change)

Command rpm2swidtag --primary-only bash can be used to generate example SWID tag for installed bash package.

Command swidq -a can be used to list deployed SWID tags. Out of box, only distro-level SWID tag org.fedoraproject.Fedora-30 and potentially edition SWID tag like org.fedoraproject.Fedora-30-Container will be listed.

The subpackage dnf-plugin-swidtags is able to deploy SWID tags distributed in yum/dnf repository metadata. Fedora itself does not distribute the SWID tags but it is possible to generate the SWID tags and metadata using rpm2swidtag --repo /path/to/repository. It is also possible to uncomment the rpm2swidtag_command = /usr/bin/rpm2swidtag line in /etc/dnf/plugins/swidtags.conf and in that case, the SWID tags will be locally generated for every rpm package installed or upgraded via dnf. The plugin will of course also remove SWID tags for people that got removed during the dnf transaction, either via package removal or when replaced by different package version during upgrade or downgrade.

User Experience

No change unless users choose to enable SWID tags by installing dnf-plugin-swidtags and potentially uncommenting the rpm2swidtag_command option. Then at the end of dnf operations, SWID tags will be deployed from the repository metadata, or in the (likely) case that none are available and rpm2swidtag_command is set pointing rpm2swidtag, the SWID tags will be generated.

Command swidq allows the user to see all installed tags, their supplement relationship, and their content.

Dependencies

N/A (not a System Wide Change)

Contingency Plan

  • Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
  • Contingency deadline: N/A (not a System Wide Change)
  • Blocks release? N/A (not a System Wide Change), No
  • Blocks product? No

Documentation

N/A (not a System Wide Change)

Release Notes

Inform users of new capabilities and how they can be used with the existing tags in fedora-release-*