On 9/16/13 6:43 AM, Jan Lieskovsky wrote:
Hello Shawn,
thank you for your reply.
0001-Add-Makefile-main-README-and-scap-security-guide.spe.patch
From a961756728efa0ab3e67a031c07ca308da3a73fa Mon Sep 17 00:00:00 2001
From: Jan Lieskovsky <[email protected]> Date: Thu, 12 Sep 2013 17:16:18
+0200
Subject: [PATCH 1/8] Add Makefile, main README, and scap-security-guide.spec
file, that will be used for building Fedora
scap-security-guide (source) RPM package.
Signed-off-by: Jan Lieskovsky <[email protected]> ---
FEDORA/Makefile | 58
+++++++++++++++++++++++++++++++++++++++++
FEDORA/README | 30 +++++++++++++++++++++
FEDORA/scap-security-guide.spec | 53 +++++++++++++++++++++++++++++++++++++
3 files changed, 141 insertions(+)
create mode 100644 FEDORA/Makefile
create mode 100644 FEDORA/README
create mode 100644 FEDORA/scap-security-guide.spec
diff --git a/FEDORA/Makefile b/FEDORA/Makefile
new file mode 100644
index 0000000..4c1cb5f
--- /dev/null
+++ b/FEDORA/Makefile
@@ -0,0 +1,58 @@
+IN = input
+OUT = output
+TRANS = transforms
+UTILS = utils
+DIST = dist
+
+ID = fedora-19
+
+all: shorthand2xccdf guide content dist
+
+shorthand-guide:
+ xsltproc -o $(OUT)/$(ID)-shorthand.xml $(IN)/guide.xslt $(IN)/guide.xml
+ xmllint --format --output $(OUT)/$(ID)-shorthand.xml
$(OUT)/$(ID)-shorthand.xml
+
+shorthand2xccdf: shorthand-guide
+ xsltproc -o $(OUT)/unlinked-unresolved-fedora-xccdf.xml
$(TRANS)/shorthand2xccdf.xslt $(OUT)/$(ID)-shorthand.xml
+ oscap xccdf resolve -o $(OUT)/unlinked-fedora-xccdf.xml
$(OUT)/unlinked-unresolved-fedora-xccdf.xml
+
+checks:
+ xmlwf $(IN) / checks / *.xml
+ $(TRANS)/combinechecks.py $(IN)/checks > $(OUT)/unlinked-fedora-oval.xml
+ xmllint --format --output $(OUT)/unlinked-fedora-oval.xml
$(OUT)/unlinked-fedora-oval.xml
+
+guide: shorthand2xccdf
+# remove auxiliary Groups which are only for use in tables, and not
guide output.
+# specifying a nonexistent profile, "allrules," to make oscap print
all Rules
+ xsltproc -o $(OUT)/unlinked-fedora-xccdf-guide.xml
$(TRANS)/xccdf-removeaux.xslt $(OUT)/unlinked-fedora-xccdf.xml
+ xsltproc -o $(OUT)/unlinked-notest-fedora-xccdf-guide.xml
$(TRANS)/xccdf-removetested.xslt $(OUT)/unlinked-fedora-xccdf.xml
+ oscap xccdf generate guide --profile allrules
$(OUT)/unlinked-notest-fedora-xccdf-guide.xml > $(OUT)/$(ID)-guide.html
+
+content: shorthand2xccdf guide checks
+ $(TRANS)/cpe_generate.py $(OUT)/unlinked-fedora-oval.xml
$(IN)/checks/platform/fedora-cpe-dictionary.xml $(ID)
+ $(TRANS)/relabelids.py unlinked-fedora-xccdf.xml $(ID)
+
+validate-xml:
+ oscap xccdf validate-xml $(OUT)/$(ID)-xccdf.xml
+ oscap oval validate-xml $(OUT)/$(ID)-oval.xml
+ oscap oval validate-xml $(OUT)/$(ID)-cpe-oval.xml
+
+validate: validate-xml
+ cd $(OUT); ../$(UTILS)/verify-references.py --rules-with-invalid-checks
--ovaldefs-unused $(ID)-xccdf.xml
+ oscap oval validate-xml --schematron $(OUT)/$(ID)-oval.xml
+
+# items in dist are expected for distribution in an rpm
+dist: guide content
+ mkdir -p $(DIST)/guide $(DIST)/content
+ cp $(OUT)/*-guide.html $(DIST)/guide
+ cp $(OUT)/$(ID)-xccdf.xml $(DIST)/content
+ cp $(OUT)/$(ID)-oval.xml $(DIST)/content
+ cp $(OUT)/$(ID)-cpe-dictionary.xml $(DIST)/content
+ cp $(OUT)/$(ID)-cpe-oval.xml $(DIST)/content
+
+eval-test:
+ oscap xccdf eval --profile test $(OUT)/$(ID)-xccdf.xml
+
+clean:
+ rm -f $(OUT)/*.xml $(OUT)/*.html $(OUT)/*.xhtml $(OUT)/*.pdf
$(OUT)/*.spec
$(OUT)/*.tar $(OUT)/*.gz $(OUT)/*.ini $(OUT)/*.csv
+ rm -rf $(DIST)/content $(DIST)/guide
diff --git a/FEDORA/README b/FEDORA/README
new file mode 100644
index 0000000..c3c94db
--- /dev/null
+++ b/FEDORA/README
@@ -0,0 +1,30 @@
+Directory Structure of scap-security-guide
+------------------------------------------
+
+The input directory contains source files that generate SCAP content, such
as
+XCCDF and OVAL. Since a single large XML file is an impractical format for
+multiple authors to collaborate on editing SCAP content, efforts are made to
+keep logically related guidance and checking content in individual files.
+
+The transforms directory contains resources that enable the files inside the
+input directory (or output directory) to be combined and reformatted into
+valid SCAP formats or human-readable formats.
+
+The output directory is used as a storage area for items generated by the
files
+in the inputs directory. It should be empty in the repository, and built on
+users' individual systems (and rely on its .gitignore file to keep such
files
+out). The output directory contains transitional output (which may only
exist
+in order to be further transformed) as well as final output.
+
+The references directory should contain documents which are specified as
+references from within the SCAP content, or documents that are "seeds," viz.
+documents whose prose will be translated into SCAP formats, as well as other
+examples of SCAP content.
+
+The utils directory contains helper scripts and other items that are useful
to
+developers but are not essential to producing the project's output.
+
+The dist directory contains final outputs, which could be shipped in an RPM
for
+consumption by end-users. Updating the Makefile to copy an item from the
+outputs directory to the dist directory indicates that an item is considered
a
+final output.
diff --git a/FEDORA/scap-security-guide.spec
b/FEDORA/scap-security-guide.spec
new file mode 100644
index 0000000..b4d47f8
--- /dev/null
+++ b/FEDORA/scap-security-guide.spec
@@ -0,0 +1,53 @@
+
+# IMPORTANT NOTE: This spec file is solely dedicated to make changes to the
+# Fedora's scap-security-guide package. If you want to apply changes against
+# the main RHEL-6 scap-security-guide RPM content, use
scap-security-guide.spec
+# file one level up - in the main scap-security-guide directory (instead of
+# this one).
+
+Name: scap-security-guide
+Version: 0.1
+Release: 1.fc19
+Summary: Security guidance and baselines in SCAP formats
+Group: Applications/System
+License: Public Domain and GPLv2
Good catch. I actually wanted to consult this first, and truly
wouldn't i have patch submission issues, wouldn't probably forget
about this.
Anyway, the reason why i have changed original RHEL6 scap-security-guide.spec
form:
7 License: Public domain and GPL
to that one in Fedora's spec:
13 License: Public Domain and GPLv2
being that i have (before submission) run the rpmlint utility
(on all three of *.spec, *.src.rpm, and *.rpm packages), and tried
to fix reported issues. One of the warnings (on *.src.rpm) has had
form of [*]:
scap-security-guide.src: W: invalid-license Public domain
scap-security-guide.src: W: invalid-license GPL
which according to:
[1] http://fedoraproject.org/wiki/Common_Rpmlint_issues and
[2] https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing (got to [2]
from [1])
was because the 'Public domain and GPL' strings are invalid. The public
domain fix was easy, but wasn't sure about the second one (so just used
GPLv2 for now). But we should definitely have a look at the GPL Compatibility
Matrix:
[3]
https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing#GPL_Compatibility_Matrix
and choose the most appropriate one for purposes of SSG.
Suggestions welcome.
Completely sane. Noted the new thread on this, will continue the
conversation there.
Since most (all?) of the RHEL6 content is public domain, this may be
confusing. Should (begrudgingly) start adding per-file License headers to
identify which code snippets are public domain vs GPLv2?
Might not be necessary (AFAICT). But we should use proper license abbreviations
at least.
Will take your lead on this! Steve Grubb and others who maintain current
RH packages may have authoritative knowledge on if per-file is needed
(I've heard both ways from RH staff in the past).
IMO, to simplify the SSG relationship with government & gov-contractor
commiters, *everything* should be public domain as they're unable to assign
any copyright as required by most open source licenses.
For the govies -- will the addition of GPLv2 to Fedora content affect your
ability to commit? What happens if you patch a GPLv2 file, but a "single
line change" must be public domain?
The GPLv2 add-on wasn't intended to put some copyright on the content. More,
it was to align the spec with currently recognized abbreviations. The whole
content can be Public Domain (AFAICT), if this would be the right way of sharing
it. Will check this internally yet.
Public Domain has been vital to the high level of government involvement
in the project. Definitely let us know if you run into roadblocks
pursuing this!
As we prepare for formal Red Hat packaging, I'd rather begin to address the
issue now.
Sure. Thank you for catching it (made a side note to mention / discuss it
before,
but forgot at the end).
Thank you && Regards, Jan.
--
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
