Openscap package too outdated
Tyler Hicks
tyhicks at canonical.com
Thu Jul 6 00:12:57 UTC 2017
On 07/05/2017 04:17 PM, Robie Basak wrote:
> On Wed, Jul 05, 2017 at 12:26:08PM +0200, Jesus Linares wrote:
>> In Xenial, the oscap version is 1.2.8, that supports OVAL 5.11 and these
>> files work properly. When the *libopenscap8 *package will be updated?.
>
> Updated to what version?
>
> If you want something in an existing stable release updated, we
> generally don't do that for new features. That's the point of stable
> releases. See https://wiki.ubuntu.com/StableReleaseUpdates and
> https://wiki.ubuntu.com/UbuntuBackports for more information.
It may make sense to bump the version of openscap in 14.04. It currently
can't consume the OVAL data that is generated from the Ubuntu CVE Tracker:
https://people.canonical.com/~ubuntu-security/oval/
The script that generates the OVAL data was contributed to the Ubuntu
CVE Tracker project and is not something that the Ubuntu Security Team
tests/verifies but the OVAL data is regenerated daily and there are
people out there using it. In fact, Jesus Linares contributed a bug fix
in the script so that he can make better use of the data.
The reason why openscap in 14.04 can't consume the Ubuntu OVAL data to
check the security stance of the system is because OVAL data for Debian
based distros relies on deb-specific version comparison support only
available in newer OVAL language standards. 14.04's openscap is too old
to support the required OVAL language standard.
I doubt anyone out there is making much use of the existing openscap in
14.04. If a newer version, such as what's in 16.04, was pulled back to
trusty-updates, it might actually be useful.
Note that I haven't looked at the changes between 14.04 and 16.04's
openscap so I don't know how disruptive such a backport would be. I also
don't have the time to prepare and test such a backport. I just wanted
to elaborate on why Jesus is advocating for the backport as I feel like
it could be something worth an exception to the usual SRU rules.
Tyler
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-devel-discuss/attachments/20170705/1d67d99d/attachment.sig>
More information about the Ubuntu-devel-discuss
mailing list