Support for older dependencies

[mblayman]

In the "I need to support RHEL6" category, the libtaxii dependencies use newer versions than what is available in the RHEL6 repos. Are there any hard reasons to use lxml 2.3 and python-dateutil 1.5 (i.e. features only available in the newer versions)? RHEL6 has 2.2 and 1.4, respectively. Is it possible to support those older versions?

This issue generally applies to libtaxii, python-stix, and cybox, but I'll just open up this particular issue for now.

[MarkDavidson]

@mblayman ,

For TAXII, at least, we just documented what version we were using when we did the release. There wasn't really any attempt to identify the minimum necessary version. I suppose that's one of the luxuries of using a dev environment =)

If you have an environment with lxml 2.3 / python-dateutil, would you be able to run the tox command against the library and see if the tests pass? If tox passes, I'd consider lowering the required version of the libraries.

It should be something like: git clone https://github.com/TAXIIProject/libtaxii.git (navigate to the root libtaxii directory) tox

I can check over the release notes of the related libraries and see if anything jumps out at me. Does RHEL 6 have lxml 2.2, or is it 2.2.x (e.g., 2.2.8)? I just want to know how far back to look. I couldn't find any release notes for python-dateutil, so we'll maybe have to just go by the test results on that one.

-Mark

[mblayman]

@MarkDavidson I don't have access to the RHEL6 image at the moment (the operations team is still setting up the environment we're going to use), but when I have it ready, I can try to run the tests and report back the results.

Looking at the list at http://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/, it looks like lxml is version 2.2.3 and python-dateutil is 1.4.1.

[gtback]

I'm going to set up a RHEL6 VM and try this out. @mblayman, if you have a chance to run the tests as well, I'd appreciate it!

[gtback]

I ended up going with a CentOS 6.5 VM, since getting RHEL to play nicely without a subscription didn't go well.

I ran yum install python-lxml python-dateutil (and also python-nose but only to run the tests), and had no errors when running the libtaxii tests, and was able to run the discovery_client successfully as well.

I don't see a good reason not to lower the minimum versions to 2.2.3 and 1.4.1 (which is what CentOS 6 had) for libtaxii (I'm not sure about cybox or stix).

Partially unrelated: @mblayman, is there a reason you can't use a virtualenv or something like pyenv to add a newer version of Python?

[mblayman]

@gtback The short answer is DISA. I have to work with the software that's on a RHEL6 image that has gone through a STIG (http://iase.disa.mil/stigs/) audit. There's no chance of getting a newer version of Python on that environment. As is, I'll have to potentially leap over tall mountains to get STIX, TAXII, and CybOX Python libraries through the proper certification and accreditation process.

[gtback]

Ahh, should have realized that.

@MarkDavidson: are you OK with me changing setup.py and the documentation to reflect the new dependencies?

[MarkDavidson]

@gtback , Please go ahead and do that.

@mblayman , Thank you for identifying and raising this item. RHEL 6 is a commonly used server, so it's nice to have libtaxii use libraries that are readily available on that platform (even if they are old!).

-Mark

[mblayman]

@MarkDavidson do these library changes extend to the other Python libraries in this ecosystem (e.g. python-stix and python-cybox)?

[MarkDavidson]

They don't. I've opened the following issues to see if the same can be done across the other libraries:

• https://github.com/STIXProject/python-stix/issues/162
• https://github.com/CybOXProject/python-cybox/issues/187
• https://github.com/MAECProject/python-maec/issues/39

-Mark

[gtback]

Thanks, @MarkDavidson . I meant to add corresponding issues to those repositories but hadn't.