Regarding the Solaris packageavoidlist items. Given that: - 'pkg avoid' returns only the 'name' of the avoided package and not the full FMRI, and - I don't see another/better way to query which packages are tagged to 'avoid,' and - the full FMRI is not available on a system on which a package is not installed and has no access to a repository. It would seem that since only the name of the package is returned by 'pkg avoid' and since a given package name could conceivably be sourced from more than one publisher, it is impossible to determine the FMRI for a given package. Also, the documents at https://github.com/OVALProject/Sandbox/tree/master/resources/x-solaris-updates/content/packageavoidlist_test show a 'name' field in the state and item rather than an FMRI field. The schema (the actual xsd file) requires the 'fmri.' Should the packageAvoidList state and item contain just the package name? Or, if the FMRI is the correct information, how do we assure that we have the correct package FMRI when we only have the package name to work off of? Thanks, ------------------------------------ John R. Ulmer SPAWAR Systems Center Atlantic (843)218-5953 John.R.Ulmer@saic.com ...

On 11/17/15 14:46, Ulmer, John R. wrote: > Regarding the Solaris packageavoidlist items. > > Given that: > - 'pkg avoid' returns only the 'name' of the avoided package and not the full FMRI, and > - I don't see another/better way to query which packages are tagged to 'avoid,' and > - the full FMRI is not available on a system on which a package is not installed and has no access to a repository. > > It would seem that since only the name of the package is returned by 'pkg avoid' and since a given package name could conceivably be sourced from more than one publisher, it is impossible to determine the FMRI for a given package. > > Also, the documents at https://github.com/OVALProject/Sandbox/tree/master/resources/x-solaris-updates/content/packageavoidlist_test show a 'name' field in the state and item rather than an FMRI field. The schema (the actual xsd file) requires the 'fmri.' > > Should the packageAvoidList state and item contain just the package name? > Or, if the FMRI is the correct information, how do we assure that we have the correct package FMRI when we only have the package name to work off of? The avoid list is the name of the package not the full FMRI so the schema requiring an FMRI is wrong. The pkg system only stores package names for the avoid list not the full FMRI - since the point of avoid is to avoid the package regardless of publisher. -- Darren J Moffat ...

Darren, Thanks for the confirmation. In the short term, we'll be filling the item with the package name even though the XML tag name will continue to be FMRI (to allow XML validation and until the schema is fixed). So, how do I push this forward? Who needs to know that the schema needs a tweak? I've lost the handle since we moved from MITRE. ------------------------------------ John R. Ulmer SPAWAR Systems Center Atlantic (843)218-5953 John.R.Ulmer@saic.com -----Original Message----- From: Darren J Moffat [mailto:Darren.Moffat@Oracle.COM] Sent: Tuesday, November 17, 2015 10:30 AM To: Ulmer, John R.; oval_developer@lists.cisecurity.org Subject: Re: [OVAL DEVELOPER] Solaris packageAvoidList item? FMRI? On 11/17/15 14:46, Ulmer, John R. wrote: > Regarding the Solaris packageavoidlist items. > > Given that: > - 'pkg avoid' returns only the 'name' of the avoided package and not the full FMRI, and > - I don't see another/better way to query which packages are tagged to 'avoid,' and > - the full FMRI is not available on a system on which a package is not installed and has no access to a repository. > > It would seem that since only the name of the package is returned by 'pkg avoid' and since a given package name could conceivably be sourced from more than one publisher, it is impossible to determine the FMRI for a given package. > > Also, the documents at https://github.com/OVALProject/Sandbox/tree/master/resources/x-solaris-updates/content/packageavoidlist_test show a 'name' field in the state and item rather than an FMRI field. The schema (the actual xsd file) requires the 'fmri.' > > Should the packageAvoidList state and item contain just the package name? > Or, if the FMRI is the correct information, how do we assure that we have the correct package FMRI when we only have the package name to work off of? The avoid list is the name of the package not the full FMRI so the schema requiring an FMRI is wrong. The pkg system only stores package names for the avoid list not the full FMRI - since the point of avoid is to avoid the package regardless of publisher. -- Darren J Moffat ...

On 11/17/15 16:20, Ulmer, John R. wrote: > Darren, > Thanks for the confirmation. > In the short term, we'll be filling the item with the package name even though the XML tag name will continue to be FMRI (to allow XML validation and until the schema is fixed). > > So, how do I push this forward? > Who needs to know that the schema needs a tweak? > I've lost the handle since we moved from MITRE. I'm not sure either but I'm assuming this list is the place to do it. > > ------------------------------------ > John R. Ulmer > SPAWAR Systems Center Atlantic > (843)218-5953 > John.R.Ulmer@saic.com > > > -----Original Message----- > From: Darren J Moffat [mailto:Darren.Moffat@Oracle.COM] > Sent: Tuesday, November 17, 2015 10:30 AM > To: Ulmer, John R.; oval_developer@lists.cisecurity.org > Subject: Re: [OVAL DEVELOPER] Solaris packageAvoidList item? FMRI? > > > > On 11/17/15 14:46, Ulmer, John R. wrote: >> Regarding the Solaris packageavoidlist items. >> >> Given that: >> - 'pkg avoid' returns only the 'name' of the avoided package and not the full FMRI, and >> - I don't see another/better way to query which packages are tagged to 'avoid,' and >> - the full FMRI is not available on a system on which a package is not installed and has no access to a repository. >> >> It would seem that since only the name of the package is returned by 'pkg avoid' and since a given package name could conceivably be sourced from more than one publisher, it is impossible to determine the FMRI for a given package. >> >> Also, the documents at https://github.com/OVALProject/Sandbox/tree/master/resources/x-solaris-updates/content/packageavoidlist_test show a 'name' field in the state and item rather than an FMRI field. The schema (the actual xsd file) requires the 'fmri.' >> >> Should the packageAvoidList state and item contain just the package name? >> Or, if the FMRI is the correct information, how do we assure that we have the correct package FMRI when we only have the package name to work off of? > > The avoid list is the name of the package not the full FMRI so the > schema requiring an FMRI is wrong. > > The pkg system only stores package names for the avoid list not the full > FMRI - since the point of avoid is to avoid the package regardless of > publisher. > > -- > Darren J Moffat > -- Darren J Moffat ...