[Open-scap] OpenSCAP 1.2.0 coming soon

Martin Preisler mpreisle at redhat.com
Thu Oct 23 12:18:20 UTC 2014 

----- Original Message -----
> From: "Simon Lukasik" <slukasik at redhat.com>
> To: "Martin Preisler" <mpreisle at redhat.com>
> Cc: open-scap-list at redhat.com
> Sent: Thursday, October 23, 2014 12:28:06 PM
> Subject: Re: [Open-scap] OpenSCAP 1.2.0 coming soon
> 
> [snip]
> 
> The decision was not made. Though I have projects that depend on changes
> in master that have tight schedule. I will blog about them shortly.
> 
> foreman_openscap needs SCAPtimony needs ruby-openscap needs openscap
> 
> If I manage to release all the four projects, we will be able to collect
> and show OpenSCAP reports from Foreman infrastructure. Then, I can
> announce the projects to Foreman community.

Do you really need released openscap to showcase this? Is there enough
functionality in foreman_openscap to warrant upstream releases of
4 projects and a lot of headache for other people depending on openscap?
Will these releases be shipping anywhere?

Could you please elaborate on the deadlines so I can plan my openscap
work around them? They clearly involve me and I have no idea.

> > There are still regressions from oscap_source that haven't been fixed.
> 
> I know only about a single one. Are there really more of them?

CPE autoload is the one you know about I guess. The branch is too new for
me to give you a good answer. I have just begun to move workbench to the
new code. It's likely there will be more issues that I come across.

There certainly are issues in workbench that need addressing [1] and they
weren't there before oscap_source. However I can't classify them as
regressions, because workbench is taking advantage of knowing openscap
internals. Very often it's just new functionality that workbench isn't
expecting.

> > I need changes in openscap master to support new workbench functionality
> > that has not been written yet. Furthermore I have RFEs for report and
> > guide that I would like to implement.
> 
> We can release 1.2.1 shortly after. Would it help?
> 
> >                                       Semantic diff is also planned
> > for 1.2.0.
> 
> Semantic is too big bite. I am afraid that Foreman/OpenSCAP integration
> cannot wait until the diff is done.

Semantic diff is a very important feature that has been requested for the
past 3 feature releases. Probably before that too. I think it's not such
a big undertaking. Especially if we narrow the scope at first and go for
just a good XCCDF TestResult diff. Diffing 2 TestResults of the same profile
would go a long way as the first implementation.

I guess it's a feature you plan in foreman integration too. Furthermore
it's important for cockpit integration. That's work I have deadlines for ;-)

The most important outcome of this discussion so far is that we could use
a release schedule for openscap to avoid these surprises in the future.

> > And then there is:
> > https://fedorahosted.org/openscap/query?milestone=1.2.0&status=assigned&status=new&status=reopened&group=status
> >
> 
> I've tried to address these issues above.
> 
> > It adds another maintenance branch which has significant cost. I would
> > prefer to release with more new features than what we have right now.
> > Do we really want to release a new breaking release every 2 months?

I'd like you to address this please. We have grown to be a very responsible
upstream in the past year and a half. This seems like a step back.

[1] dependency closure for bundle exporting, remote scanning and bzip2
(detecting support), bzip2 inside RPM bundle. I could go on, as I said
the branch is too new.

-- 
Martin Preisler

More information about the Open-scap-list mailing list