Updated package_spec controls naming convention

[rquinones93]

package-04 was incorrectly named package-05 which incorrectly labelled the following controls.

[rquinones93]

Unsure how to configure DCO

[artem-sidorenko]

@rquinones93 thank you for this PR! Regarding DCO - please have a look to the DCO Details for instructions.

Regarding the reordering, I remember we had another control and it was dropped later. To avoid breaking downstream baselines, we kept the identifiers. @chris-rock @atomic111 can you maybe correct me if I'm wrong?

[chris-rock]

@rquinones93 Thank you for identifying the issue. I tried to figure out when control 04 was removed. Its seems like we could have fixed that with the release of version 2.x of this baseline.

The challenge with fixing it now is that it will break existing users where they rely on control ids. We try to keep the promise that our baselines have stable ids. We've seen a different behavior in CIS baselines and it confused all the CIS baselines user that I know of.

At this point, I think it is save to add a new control labeled package-04 but we should not rename the existing controls. Unfortunately, InSpec has no keyword to reserve a control id. This would have made this super obvious. Should we add a comment to code?

[rquinones93]

Hello @artem-sidorenko & @chris-rock - I apologize for the delayed response, but thank you so much for taking a look at this PR. I'm newer to Chef & InSpec so I thought this would've been a simple change, but I guess not! Haha.

It makes sense to not change the control names, based on others implementations. I could change the file back to the initial state and add a comment? I would think a control that did nothing isn't too useful?

Ideas on what the comment should be?

[chris-rock]

@rquinones93 maybe just add a comment that the control id is intentionally left out

[chris-rock]

@rquinones93 I am going to close this PR. Thank you for pointing out, I added the missing doc in #123