A list for people interested in developing the OVAL language.
View all threadsRegarding the Solaris packageavoidlist items.
Given that:
It would seem that since only the name of the package is returned by 'pkg avoid' and since a given package name could conceivably be sourced from more than one publisher, it is impossible to determine the FMRI for a given package.
Also, the documents at https://github.com/OVALProject/Sandbox/tree/master/resources/x-solaris-updates/content/packageavoidlist_test show a 'name' field in the state and item rather than an FMRI field. The schema (the actual xsd file) requires the 'fmri.'
Should the packageAvoidList state and item contain just the package name?
Or, if the FMRI is the correct information, how do we assure that we have the correct package FMRI when we only have the package name to work off of?
John R. Ulmer
SPAWAR Systems Center Atlantic
(843)218-5953
John.R.Ulmer@saic.com
...
On 11/17/15 14:46, Ulmer, John R. wrote:
Regarding the Solaris packageavoidlist items.
Given that:
It would seem that since only the name of the package is returned by 'pkg avoid' and since a given package name could conceivably be sourced from more than one publisher, it is impossible to determine the FMRI for a given package.
Also, the documents at https://github.com/OVALProject/Sandbox/tree/master/resources/x-solaris-updates/content/packageavoidlist_test show a 'name' field in the state and item rather than an FMRI field. The schema (the actual xsd file) requires the 'fmri.'
Should the packageAvoidList state and item contain just the package name?
Or, if the FMRI is the correct information, how do we assure that we have the correct package FMRI when we only have the package name to work off of?
The avoid list is the name of the package not the full FMRI so the
schema requiring an FMRI is wrong.
The pkg system only stores package names for the avoid list not the full
FMRI - since the point of avoid is to avoid the package regardless of
publisher.
--
Darren J Moffat
...
Darren,
Thanks for the confirmation.
In the short term, we'll be filling the item with the package name even though the XML tag name will continue to be FMRI (to allow XML validation and until the schema is fixed).
So, how do I push this forward?
Who needs to know that the schema needs a tweak?
I've lost the handle since we moved from MITRE.
John R. Ulmer
SPAWAR Systems Center Atlantic
(843)218-5953
John.R.Ulmer@saic.com
-----Original Message-----
From: Darren J Moffat [mailto:Darren.Moffat@Oracle.COM]
Sent: Tuesday, November 17, 2015 10:30 AM
To: Ulmer, John R.; oval_developer@lists.cisecurity.org
Subject: Re: [OVAL DEVELOPER] Solaris packageAvoidList item? FMRI?
On 11/17/15 14:46, Ulmer, John R. wrote:
Regarding the Solaris packageavoidlist items.
Given that:
It would seem that since only the name of the package is returned by 'pkg avoid' and since a given package name could conceivably be sourced from more than one publisher, it is impossible to determine the FMRI for a given package.
Also, the documents at https://github.com/OVALProject/Sandbox/tree/master/resources/x-solaris-updates/content/packageavoidlist_test show a 'name' field in the state and item rather than an FMRI field. The schema (the actual xsd file) requires the 'fmri.'
Should the packageAvoidList state and item contain just the package name?
Or, if the FMRI is the correct information, how do we assure that we have the correct package FMRI when we only have the package name to work off of?
The avoid list is the name of the package not the full FMRI so the
schema requiring an FMRI is wrong.
The pkg system only stores package names for the avoid list not the full
FMRI - since the point of avoid is to avoid the package regardless of
publisher.
--
Darren J Moffat
...
On 11/17/15 16:20, Ulmer, John R. wrote:
Darren,
Thanks for the confirmation.
In the short term, we'll be filling the item with the package name even though the XML tag name will continue to be FMRI (to allow XML validation and until the schema is fixed).
So, how do I push this forward?
Who needs to know that the schema needs a tweak?
I've lost the handle since we moved from MITRE.
I'm not sure either but I'm assuming this list is the place to do it.
John R. Ulmer
SPAWAR Systems Center Atlantic
(843)218-5953
John.R.Ulmer@saic.com
-----Original Message-----
From: Darren J Moffat [mailto:Darren.Moffat@Oracle.COM]
Sent: Tuesday, November 17, 2015 10:30 AM
To: Ulmer, John R.; oval_developer@lists.cisecurity.org
Subject: Re: [OVAL DEVELOPER] Solaris packageAvoidList item? FMRI?
On 11/17/15 14:46, Ulmer, John R. wrote:
Regarding the Solaris packageavoidlist items.
Given that:
It would seem that since only the name of the package is returned by 'pkg avoid' and since a given package name could conceivably be sourced from more than one publisher, it is impossible to determine the FMRI for a given package.
Also, the documents at https://github.com/OVALProject/Sandbox/tree/master/resources/x-solaris-updates/content/packageavoidlist_test show a 'name' field in the state and item rather than an FMRI field. The schema (the actual xsd file) requires the 'fmri.'
Should the packageAvoidList state and item contain just the package name?
Or, if the FMRI is the correct information, how do we assure that we have the correct package FMRI when we only have the package name to work off of?
The avoid list is the name of the package not the full FMRI so the
schema requiring an FMRI is wrong.
The pkg system only stores package names for the avoid list not the full
FMRI - since the point of avoid is to avoid the package regardless of
publisher.
--
Darren J Moffat
--
Darren J Moffat
...