[Deprecation Proposal] Removal of OVAL 5.10 compatible content from the project

[ggbecker]

Hello community,

In the past few weeks we developed new features for the sysctl template and we struggled to maintain the OVAL 5.10 compatibility due to various reasons, but mostly because we are not really using/testing them on our CIs.

Example of 5.10 content codition jinja statement:

content/shared/templates/sysctl/oval.template

Line 125 in 79f4246

{{% if target_oval_version >= [5, 11] %}}

Improvements on sysctl template:

#9286
#9396
#9400

Needed fixes because of OVAL 5.10

#9050
#9311
#9420

Currently, SCAP content with OVAL 5.10 is part of the release artifacts, but that's the only place we actually publish them and we are not sure if anybody is using that. Red Hat has been using SCAP v1.2 with a OVAL 5.11 (even though is not part of the standard) for a very long time because it enabled more advanced operations. Now with support for SCAP v1.3 content, this is not needed anymore since it supports the OVAL 5.11 and it is what is enabled by default in the builds of the project.

So we are proposing to remove the OVAL 5.10 content compatibility from the project to make our lives easier while maintaining the project. The next release v0.1.64 will be the last one containing content with 5.10 OVAL artifacts.

We are opening the space here for any objections/concerns/questions that may change the course of this proposal.

Here are some statistics collected from using download count of these artifacts:

Command to list all the artifacts and the download count:

gh api -H "Accept: application/vnd.github+json" /repos/ComplianceAsCode/content/releases | jq -r '.[].assets[] | .browser_download_url , .download_count'

Command that I used to extract some of the information below:

gh api -H "Accept: application/vnd.github+json" /repos/ComplianceAsCode/content/releases | jq . | grep -A 30 "oval-5.10.zip\"," | less

scap-security-guide-0.1.63-oval-5.10.zip
497

scap-security-guide-0.1.62-oval-5.10.zip
2418

scap-security-guide-0.1.61-oval-5.10.zip
600

scap-security-guide-0.1.60-oval-5.10.zip
811

scap-security-guide-0.1.59-oval-5.10.zip
561

scap-security-guide-0.1.58-oval-5.10.zip
1208

scap-security-guide-0.1.57-oval-5.10.zip
566

scap-security-guide-0.1.46-oval-5.10.zip
519

[ggbecker]

@dodys
@Xeicker
@maage
@guangyee
@freddieRv
@anivan-suse
@lenox-joseph
@cyarbrough76

Any feedback is welcomed.

[lenox-joseph]

I currently only really care about RHEL7 support.

Name : openscap
Version : 1.2.17

And as 5.11 seems to behave just fine with OSCAP 1.2, I have no objections.

<oval:schema_version>5.11</oval:schema_version>

[maage]

+1

The project is very complex. Way too many if/else blocks for anybody to handle, so we need to rely on testing. If testing is not done, then it is not good. Testing is also resource intensive and extra dimensions do not help.

[dodys]

That's fine by me too

[freddieRv]

We are also using only the 5.11 OVAL content on the current major OL releases

So no issue deprecating and removing the 5.10 content on our side

[msmeissn]

SUSE builds 5.11 content and has openscap in versions capable of processing 5.11 content in all current supported products.

[ggbecker]

The conclusion is that 0.1.64 is the last release with SCAP content with OVAL5.10. Next releases will not contain OVAL 5.10 anymore.

PR that removes the OVAL 5.10 support: #9604

[ggbecker]

Discussion will be open for some time but will eventually be closed.

[ggbecker]

The PR #9604 has been merged. From now on we don't expect any discussions anymore. If you still need to use 5.10 content, then download version less than 0.1.64 from the releases page: https://github.com/ComplianceAsCode/content/releases