2021-06-10 17:44:37 |
Alexander Scheel |
bug |
|
|
added bug |
2021-06-10 17:45:43 |
Alexander Scheel |
attachment added |
|
rev1 rebase debdiff over sid https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1931618/+attachment/5503887/+files/openscap-1.3.4.sid-to-impish-rev1.debdiff |
|
2021-06-10 17:47:18 |
Alexander Scheel |
description |
In the interest of long-term maintainability ahead of Ubuntu 22.04 release, the Security team would like to propose rebasing to upstream OpenSCAP 1.3.4 release as has presently landed in Debian.
Upstream, OpenSCAP is a Red Hat maintained project. Version 1.2.x (as currently present in Ubuntu releases) aligns with RHEL 7. Version 1.3.x has shipped in RHEL 8 and is currently in Fedora ELN (slated for RHEL 9). Since RHEL 7 has left active feature development, it makes sense for new Ubuntu releases to move to the active 1.3.x version. Additionally, 1.3.x features several enhancements and bug fixes over the 1.2.x branch.
Debian has picked up OpenSCAP 1.3.4 prior to the recent upstream 1.3.5 release. While these changes are helpful (including SCAP 1.3 which brings in mandatory OVAL 5.11.x support), we feel it is more important to follow Debian's lead in this instance. Additionally, even older 1.2.x versions of OpenSCAP support OVAL 5.11.x content in SCAP 1.2 content, making this a lower concern.
Changes over Debian's 1.3.4 include:
- Shipping autotailor, a utility to tailor XCCDF files (changing variables and selecting/deselecting rules in an XCCDF profile), including manpage.
- Shipping helper function oscap-run-sce-script that was missed in packaging. This utility helps when SCE content is shipped without executable permissions.
- Pulling in the dpkg verison comparison patches from Hirsute.
Note that the dpkg version comparison patches have landed upstream in the 1.3.5 release and so should eventually be dropped were we to rebase in the future.
All other hirsute patches have been dropped as they have been picked up by this release.
Thanks,
Alex |
In the interest of long-term maintainability ahead of Ubuntu 22.04 release, the Security team would like to propose rebasing to upstream OpenSCAP 1.3.4 release as has presently landed in Debian.
Upstream, OpenSCAP is a Red Hat maintained project. Version 1.2.x (as currently present in Ubuntu releases) aligns with RHEL 7. Version 1.3.x has shipped in RHEL 8 and is currently in Fedora ELN (slated for RHEL 9). Since RHEL 7 has left active feature development, it makes sense for new Ubuntu releases to move to the active 1.3.x version. Additionally, 1.3.x features several enhancements and bug fixes over the 1.2.x branch.
Debian has picked up OpenSCAP 1.3.4 prior to the recent upstream 1.3.5 release. While these changes are helpful (including SCAP 1.3 which brings in mandatory OVAL 5.11.x support), we feel it is more important to follow Debian's lead in this instance. Additionally, even older 1.2.x versions of OpenSCAP support OVAL 5.11.x content in SCAP 1.2 content, making this a lower concern.
Changes over Debian's 1.3.4 include:
- Shipping autotailor, a utility to tailor XCCDF files (changing variables and selecting/deselecting rules in an XCCDF profile), including manpage.
- Shipping helper function oscap-run-sce-script that was missed in packaging. This utility helps when SCE content is shipped without executable permissions.
- Pulling in the dpkg verison comparison patches from Hirsute.
Note that the dpkg version comparison patches have landed upstream in the 1.3.5 release and so should eventually be dropped were we to rebase in the future.
All other hirsute patches have been dropped as they have been picked up by this release.
This rebase has been sanity-tested against building ComplianceAsCode/content and no errors reported. At this time, the Security team does not have any Impish content and thus cannot test scanner functionality against this release.
Thanks,
Alex |
|
2021-06-10 17:51:17 |
Alexander Scheel |
description |
In the interest of long-term maintainability ahead of Ubuntu 22.04 release, the Security team would like to propose rebasing to upstream OpenSCAP 1.3.4 release as has presently landed in Debian.
Upstream, OpenSCAP is a Red Hat maintained project. Version 1.2.x (as currently present in Ubuntu releases) aligns with RHEL 7. Version 1.3.x has shipped in RHEL 8 and is currently in Fedora ELN (slated for RHEL 9). Since RHEL 7 has left active feature development, it makes sense for new Ubuntu releases to move to the active 1.3.x version. Additionally, 1.3.x features several enhancements and bug fixes over the 1.2.x branch.
Debian has picked up OpenSCAP 1.3.4 prior to the recent upstream 1.3.5 release. While these changes are helpful (including SCAP 1.3 which brings in mandatory OVAL 5.11.x support), we feel it is more important to follow Debian's lead in this instance. Additionally, even older 1.2.x versions of OpenSCAP support OVAL 5.11.x content in SCAP 1.2 content, making this a lower concern.
Changes over Debian's 1.3.4 include:
- Shipping autotailor, a utility to tailor XCCDF files (changing variables and selecting/deselecting rules in an XCCDF profile), including manpage.
- Shipping helper function oscap-run-sce-script that was missed in packaging. This utility helps when SCE content is shipped without executable permissions.
- Pulling in the dpkg verison comparison patches from Hirsute.
Note that the dpkg version comparison patches have landed upstream in the 1.3.5 release and so should eventually be dropped were we to rebase in the future.
All other hirsute patches have been dropped as they have been picked up by this release.
This rebase has been sanity-tested against building ComplianceAsCode/content and no errors reported. At this time, the Security team does not have any Impish content and thus cannot test scanner functionality against this release.
Thanks,
Alex |
In the interest of long-term maintainability ahead of Ubuntu 22.04 release, the Security team would like to propose rebasing to upstream OpenSCAP 1.3.4 release as has presently landed in Debian.
Upstream, OpenSCAP is a Red Hat maintained project. Version 1.2.x (as currently present in Ubuntu releases) aligns with RHEL 7. Version 1.3.x has shipped in RHEL 8 and is currently in Fedora ELN (slated for RHEL 9). Since RHEL 7 has left active feature development, it makes sense for new Ubuntu releases to move to the active 1.3.x version. Additionally, 1.3.x features several enhancements and bug fixes over the 1.2.x branch.
Debian has picked up OpenSCAP 1.3.4 prior to the recent upstream 1.3.5 release. While these changes are helpful (including SCAP 1.3 which brings in mandatory OVAL 5.11.x support), we feel it is more important to follow Debian's lead in this instance. Additionally, even older 1.2.x versions of OpenSCAP support OVAL 5.11.x content in SCAP 1.2 content, making this a lower concern.
Changes over Debian's 1.3.4 include:
- Shipping autotailor, a utility to tailor XCCDF files (changing variables and selecting/deselecting rules in an XCCDF profile), including manpage.
- Shipping helper function oscap-run-sce-script that was missed in packaging. This utility helps when SCE content is shipped without executable permissions.
- Pulling in the dpkg verison comparison patches from Hirsute.
Note that the dpkg version comparison patches have landed upstream in the 1.3.5 release and so should eventually be dropped were we to rebase in the future.
All other hirsute patches have been dropped as they have been picked up by this release.
This rebase has been sanity-tested against building ComplianceAsCode/content and no errors reported. At this time, the Security team does not have any Impish content and thus cannot test scanner functionality against this release.
A PPA containing this build can be found here: https://launchpad.net/~cipherboy/+archive/ubuntu/scap/+build/21682204
Thanks,
Alex |
|
2021-06-10 18:26:26 |
Alexander Scheel |
attachment added |
|
rev2 rebase debdiff over sid -- contains missing changelog entry https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1931618/+attachment/5503888/+files/openscap-1.3.4.sid-to-impish-rev2.debdiff |
|
2021-06-10 20:33:30 |
Ubuntu Foundations Team Bug Bot |
tags |
|
patch |
|
2021-06-10 20:33:42 |
Ubuntu Foundations Team Bug Bot |
bug |
|
|
added subscriber Ubuntu Review Team |
2021-06-11 01:08:19 |
Alex Murray |
attachment added |
|
openscap_1.3.4-1ubuntu1.debdiff https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1931618/+attachment/5503900/+files/openscap_1.3.4-1ubuntu1.debdiff |
|
2021-06-11 12:58:43 |
Alexander Scheel |
attachment added |
|
rev3 rebase debdiff over impish (changes base, fixes changelog) https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1931618/+attachment/5504083/+files/openscap-1.3.4.impish-to-impish-rev3.debdiff |
|
2021-06-16 02:40:34 |
Alexander Scheel |
attachment added |
|
rev3 rebase debdiff over sid (same as previous; just different base) https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1931618/+attachment/5504910/+files/openscap-1.3.4.sid-to-impish-rev3.debdiff |
|
2021-07-20 11:47:31 |
Alexander Scheel |
attachment added |
|
rev4 rebase debdiff over sid (updated changelog entry) https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1931618/+attachment/5512231/+files/openscap-1.3.4.sid-to-impish-rev4.debdiff |
|
2021-07-20 11:48:03 |
Alexander Scheel |
attachment added |
|
rev4 rebase debdiff over impish (fixes changelog) https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1931618/+attachment/5512232/+files/openscap-1.3.4.impish-to-impish-rev4.debdiff |
|
2021-07-21 14:37:22 |
Alexander Scheel |
attachment added |
|
openscap-1.3.4.impish-to-impish-rev5.debdiff https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1931618/+attachment/5512549/+files/openscap-1.3.4.impish-to-impish-rev5.debdiff |
|
2021-07-21 14:37:50 |
Alexander Scheel |
attachment added |
|
Same as previous except over sid (rev5) https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1931618/+attachment/5512550/+files/openscap-1.3.4.sid-to-impish-rev5.debdiff |
|
2023-02-01 11:35:18 |
Eduardo Barretto |
openscap (Ubuntu): status |
New |
Won't Fix |
|