package naming issue for official linux maintainers/developers

[hsntgm]

#189

@bjoernricks

I confirm that there is definitely misunderstanding about openvas-libraries vs gvm-libs from our side.

• For now, also for all other components (scanner,manager,assistant) for your next stable.

ping for issue -->

@fcolista for Alpine
@shibumi, @anthraxx, @GIJack for Arch
@hsntgm for Gentoo
@rhertzog, @szlin for Debian
@sbrun for Kali
@atomicturtle for the Atomic repo
@mrazavi64 for the ~mrazavi PPAs
@tgurr ?
@cheese1 for Fedora

While bumping your next stable version the below information will create confusion for package maintainers/developers.

https://community.greenbone.net/t/about-the-source-edition-gse-category/176
"GVM-9 (stable, previously named OpenVAS-9)".

---

Could you clearly/officially confirm/explain your all package names for your next stables?

"GVM-9 (stable, previously named OpenVAS-9)".

gvm-libs-1.0.0 or gvm-libraries-1.0.0 or openvas-libraries-1.0.0
gvm-scanner-6.0.0 or openvas-scanner-6.0.0
gvm-manager-8.0.0 or gvmd-8.0.0 or openvas-manager-8.0.0 or greenbone-vulnerability-manager-8.0.0

Best Regards,

Edit

• Some history on the renaming background: package naming issue for official linux maintainers/developers #197 (comment)
• Draft overview over the renaming: package naming issue for official linux maintainers/developers #197 (comment)
• Project decided to release gvm-libs with version 10.0 instead of 1.0 (Package managers saw it as a downgrade) package naming issue for official linux maintainers/developers #197 (comment)
• Important migration informations for openvasmd 7.0 to gvmd 8.0 for maintainers: package naming issue for official linux maintainers/developers #197 (comment)

[bjoernricks]

I've written some explanations and details about our components last week here https://community.greenbone.net/t/is-openvas-manager-and-gvmd-the-same/1777

Maybe that helps to understand what's going on at our side.

[bjoernricks]

Let me know if this thread already clarifies most issues or if you need additional info. Thanks a lot for opening this issue and getting in touch!

[hsntgm]

Thank you @bjoernricks

https://community.greenbone.net/t/is-openvas-manager-and-gvmd-the-same/1777

Only the first component from the original fork will stay in its name, the OpenVAS Scanner will not be renamed.

So all components renamed expect openvas-scanner.

Sorry but this is so weird.Everywhere, i mean in every linux distro your components known by this name "openvas-libraries" | "openvas-manager" etc.

Could you correct me for any misunderstanding? After now the main public name of this project is "GVM" instead of "OpenVAS" and all your components name changed according to below table?

@fcolista
@shibumi
@GIJack

Main Name:

gvm               10.0.0 (previously openvas 9.0.0)

---

Components Names:

gvm-libs           1.0.0 (previously | openvas-libraries-9.0.0)
openvas-scanner    6.0.0 (not changed)
gvmd               8.0.0 (previously | openvas-manager-7.0.0)
gsa                8.0.0 (previously | greenbone-security-assistant-7.0.0)
gvm-tools          2.0.0 (previously | openvas-cli)

[bjoernricks]

Sorry but this is so weird.Everywhere, i mean in every linux distro your components known by this name "openvas-libraries" | "openvas-manager" etc.

Greenbone had real issues with not being visible as the company behind OpenVAS in the past. Therefore the name changes had become necessary. AFAIK debian has Replaces and Provides exactly for these process. We are not the first project changing its name.

gvm-libs 1.0.0 (previously | openvas-libraries-9.0.0)

As I wrote before I would consider gvm-libs as a new component that replaces openvas-libraries. We use gvm-libs as the new name.

openvas-scanner 6.0.0 (not changed)

Exactly.

gvmd 8.0.0 (previously | openvas-manager-7.0.0)

Exactly.

gsa 8.0.0 (previously | greenbone-security-assistant-7.0.0)

To be 100% correct gsa has two parts with GVM 10. The web page written in react which we call gsa (greenbone security assistant) now and the gsad which is the http daemon that maps http calls to GMP and can provide the static content files. In OpenVAS 9 gsad did generate all pages and the dynamic content.

Personally I don't see a difference if you would still call the package greenbone-security-assistant.

gvm-tools 2.0.0 (previously | openvas-cli)

openvas-cli is abandoned. It was written in C and isn't developed anymore. gvm-tools is a replacement tool written in python 3. Both have nothing in common besides providing cli tools and talking the GMP/OMP protocol.

[bjoernricks]

Some additional info about the architecture can be found here https://community.greenbone.net/t/about-gvm-architecture/1231

[fcolista]

@bjoernricks :
what's the point of keeping the name openvas-scanner when all the other packages has been renamed as gvm-* ?
This (again) leads to the confusion, if you decide to rename openvas-scanner to gvm-scanner and change the version breaking the ABI, as it happened with gvm-libs / openvas-libraries.

[hsntgm]

plus @fcolista

This structure will make your community edition name (know as OpenVAS for years) completely out of sync in package managers for all linux distros. If i bump your next stable version named as gvm-10 and change all component names like "gvmd" | "gvm-libs" how people reach that?

Who knows gvm?

Please believe me it will take ages to people understand your name changed and your name synced with all linux distros.Your biggest success is a name openvas which synced with linux world.This is not simple thing.

@bjoernricks
This needs a real solution !

Is there any legal issue from your side, if we continue to use old naming structure for your next stables but in package description we honour the greenbone ?

[kroosec]

I will chime in with some history information, as best as I know/remember. Viewing this from a licensing/copyright perspective might help. I am not a lawyer though ;)

OpenVAS project started with openvas-scanner and openvas-libraries (and openvas-client which is abandonware.) This part of the codebase was mostly GPLv2-only (inherited from Nessus, which went proprietary.) and can't for example link against new Samba versions due to its GPLv3 license (thus the usage of openvas-smb fork and Impacket tool at the moment.)

All the new code that is developed by Greenbone is GPLv2+ afaict, this includes openvas-manager/gvmd, greenbone-security-assistant, new files in openvas-scanner and openvas-libraries etc,.

Over the years, openvas-libraries accumulated new GPLv2+ code, along the old GPLv2 non-Greenbone code. With this new release, the old parts (misc/ and nasl/ in openvas-libraries) were moved to openvas-scanner, while new parts that are written by Greenbone (+ new features, bug fixes, cleanup's etc,.) are now known as gvm-libs.

Now we have:
Old parts (openvas-scanner, including parts merged from openvas-libraries): A mix of GPLv2 and GPLv2+. Based on a fork of Nessus +10 years ago, with large rewrites, bug fixes etc,. by Greenbone.

New parts (gvm-libs, gvmd, gsa, gvm-tools...): GPLv2+. All were developed from scratch by Greenbone.

[shibumi]

Hi everybody,
Can somebody summarize the whole situation for me? I am quite confused at the moment. We have in Arch Linux the following OpenVAS related packages:

• greenbone-security-assistant
• openvas-cli
• openvas-libraries
• openvas-manager
• openvas-scanner

As I understood this look like this in the future:

• greenbone-security-assistant
• greenbone-libraries
• greenbone-manager
• openvas-scanner
• openvas-cli

What will happen with openvas-cli? I can't find a repository for it in your github organisation. Is this project still work in progress and/or necessary for the greenbone-security-scanner or should I ship greenbone-tools (gvm-tools) instead. And what do you guys prefer as package names? The full name like greenbone-security-assistant or do you want gsa as package? IMHO we should discuss this, because otherwise you will have totally different names in different distributions. Little hint from me:"I would go with greenbone-security-assistant, because this way your company will get in the head of the people. If we just call the package gsa it will be too short and looks too random."

@fcolista I agree with you. It would be much nicer if we could rename openvas-scanner to greenbone-scanner as well. I would go for a hard break here, I don't think the open source community is stupid. If @bjoernricks announces the new name correctly and if only greenbone software gets updated in the future, people will get used to it and stick with the new name.

[shibumi]

This could be interesting for my Co-Maintainer @anthraxx as well.

[hsntgm]

@shibumi

You can find their current naming structure below which @bjoernricks approved.

It is still not clear for me that can we decide our prefered package names for this project without any legal issue? But in any condition we all have to be synced about package names.I agree that "gvm, gvmd etc. will be too short and looks too random"

It seems there is no more project named "OpenVAS" and now official name is "GVM". But below namings certainly will make users confused.

Main Name:

gvm                            10.0.0 (previously openvas 9.0.0)

-------------------------------------------------------------------

Components Names:

gvm-libs                       1.0.0 (previously | openvas-libraries-9.0.0)
openvas-scanner                6.0.0 (not changed)
gvmd                           8.0.0 (previously | openvas-manager-7.0.0)
greenbone-security-assistant   8.0.0 (@bjoernricks says still can be used under this name)
gvm-tools                      2.0.0 (previously | openvas-cli)

[cfi-gb]

Basically this should be a detailed (not official) overview. I have marked the package names TBD which can be filled in once a consent have been found.

Please correct me if anything in this table below is not correct.

For the "old package name" i had chosen the naming scheme from Debian, not sure if other Distributions like Arch are currently using a different name. Please let me know if this is the case.

Old name	New name	Old package name	New package name	Source Code repository
Open Vulnerability Assessment System (OpenVAS) 9	Greenbone Vulnerability Management (GVM) 10	N/A, project name	N/A, project name	-
---------------	--------------	--------------------------	---------------------------	---------------------------
OpenVAS Manager	Greenbone Vulnerability Manager	openvas-manager	TBD	https://github.com/greenbone/gvmd
OpenVAS Scanner	not changed	openvas-scanner	not changed	https://github.com/greenbone/openvas-scanner
Greenbone Security Assistant	not changed	greenbone-security-assistant	not changed	https://github.com/greenbone/gsa
OpenVAS Libraries	N/A, split into OpenVAS Scanner and Greenbone Vulnerability Management Libraries	openvas-libraries	N/A, split into OpenVAS Scanner and Greenbone Vulnerability Management Libraries	-
N/A, new component	Greenbone Vulnerability Management Libraries	N/A, new component	TBD	https://github.com/greenbone/gvm-libs
OpenVAS-CLI	deprecated/abandoned	openvas-cli	deprecated/abandoned	-
N/A, new component	Greenbone Vulnerability Management Tools	N/A, new component	TBD	https://github.com/greenbone/gvm-tools
openvas-smb	not changed	openvas-smb	not changed	https://github.com/greenbone/openvas-smb

There are a few components like the following which i havn't mentioned yet:

https://github.com/greenbone/ospd

https://github.com/greenbone/python-gvm

[bjoernricks]

Personally for me it doesn't matter if the packages are using the abbreviated names like our github repos e.g. gvm-libs or long names like greenbone-vulnerability-management-libraries. I've seen a lot of different package names already. So from my side the packagers are free to use whatever name fits best for them.

Greenbone had to experience that the project umbrella name OpenVAS creates a lot of headaches and issues with customers. Therefore the decision was taken to rename OpenVAS to GVM for the next release and already to talk about GVM instead of OpenVAS.

[bjoernricks]

Hi,

I would like to let you know that after we got your feedback and had an intensive internal discussion we decided to release gvm-libs with version 10.0 instead of 1.0. Hopefully this addresses the major issue with openvas-libraries and gvm-libs for you.

[fcolista]

Thanks.

./gvm-libs/usr/lib
./gvm-libs/usr/lib/libgvm_base.so.10.0.0
./gvm-libs/usr/lib/libgvm_osp.so.10.0.0
./gvm-libs/usr/lib/libgvm_gmp.so.10.0.0
./gvm-libs/usr/lib/libgvm_gmp.so.10
./gvm-libs/usr/lib/libgvm_util.so.10.0.0
./gvm-libs/usr/lib/libgvm_util.so.10
./gvm-libs/usr/lib/libgvm_osp.so.10
./gvm-libs/usr/lib/libgvm_base.so.10

[cfi-gb]

@ all: Keep in mind that the transition from openvasmd 7.0 to gvmd 8.0 needs some migrations steps for existing installations / setups as outlined in https://github.com/greenbone/gvmd/blob/v8.0.0/INSTALL.md#migrating-to-version-80

[hsntgm]

Thanks @bjoernricks @cfi-gb !

@fcolista i see that you have pushed latest components.Congrats to Alpine Linux.

openvas-libraries --> gvm-libs
openvas-scanner --> not changed
openvas-manager --> gvmd
greenone-security-assistant --> not changed
openvas-cli --> gvm-tools

What is your main package name in Alpine.It seems /etc/openvas is now /etc/gvm
So main package name gvm now in Alpine?

I could not find that in repology.org.
Thanks.

[fcolista]

@hsntgm in Alpine the packages are:
gvm-libs
openvas-scanner
gvmd
greenbone-security-assistant
PS: since openvas-check-script is no longer maintained, I'm planning to ship that script tailored for Alpine. It's WIP so far.

[hsntgm]

openvas-check-script is broken badly for new releases.Tweaking it was harder than writing new one so i wrote simple core first-start script & cron for gentoo package.I will check it if it needs updating for new gvmd.

Feel free to use & develop it for Alpine.
https://github.com/hsntgm/openvas-9-scripts

[szlin]

@cfi-gb Thanks for tagging me, I'm going to work on new version of the packages these days.

[bjoernricks]

We are collecting hints for installation changes here https://community.greenbone.net/t/hints-for-migration-to-gvm-10/1971

Please let us know if something is missing. I am going update the topic with fresh info for the others.

[bjoernricks]

Btw. the current GSA release tarball for 8.0.0 seems to be defect: greenbone/gsa#1258

I've already fixed the issue in the gsa-8.0 branch. A quick patch would be to just out-comment the failing include or to create an empty gitrevision.h file. Of course this will be fixed in the next patch release.

[hsntgm]

@bjoernricks

I have a problem with GSA.

Gentoo is source-based distribution.I need precompiled npm stuff for greenbone-security-assistant (complete release tarball ).In gentoo it is not allowed to fetch npm stuff in compile time.It is also not possible to fetch all stuff in package.json manually.There are lots of packages.

I am not familiar with node & npm & react.Any suggest are welcome otherwise i am not able to bump GVM-10 for gentoo.

[cfi-gb]

@hsntgm This is currently discussed in a separate issue within the GSA repository: greenbone/gsa#1261

[cfi-gb]

@mrazavi64 FYI: #197 (comment)

as it seems https://launchpad.net/~mrazavi/+archive/ubuntu/gvm using a gvsd package name for the not renamed openvas-scanner component.

[bjoernricks]

I am not familiar with node & npm & react.Any suggest are welcome otherwise i am not able to bump GVM-10 for gentoo.

I am not familiar how packaging nodejs dependencies is handled in distributions. So I am relying on downstream for a possible solution of this problem.

[admirito]

@cfi-gb Thanks for your comment, I'm going to rename it back to openvas-scanner.

[atomicturtle]

Renamed GVM 10 packages are available in atomic now for EL7 and FC29, the other distros are coming up soon.

We went with:

greenbone-vulnerability-manager (formerly openvas, our loader package for the whole suite)
gvm-libs (formerly openvas-libraries)
gvmd (formerly openvas-manager)
greenbone-security-assistant (unchanged, this is gsad)
openvas-scanner (unchanged)

[cfi-gb]

greenbone-vulnerability-manager (formerly openvas, our loader package for the whole suite)

This could introduce some confusion for the following reason (because of the naming decision to go for GVM and GVMd which are differently):

GVM = Greenbone Vulnerability Management (The projects "main" name, including e.g. openvas-scanner, gvmd, gvm-libs, ...)
GVMd = Greenbone Vulnerability Manager daemon (The formerly openvas-manager, located now at https://github.com/greenbone/gvmd)

[cheese1]

great to have that discussion and all your input, as i'm currently in the midst of packaging the new versions for fedora.
i thought i would stick with the old names AND provide the new ones, too. i'm sure that every distribution has some mechanics for that.
and i'm quite happy the libraries got reversioned to 10 from 1.
my only remaining concerns now are the upgrade-path for users with older versions. i'm afraid i cannot test all combinations.

and one last question: what happens to www.openvas.org?

[hsntgm]

@cheese1

For new release (GVM), i updated openvas.org to greenbone.net when packaging for gentoo.

Also licences are updated to GPL-2+ for all new components.Only openvas-scanner has mixed GPL-2 & GPL-2+.

I am still waiting for 'greenbone-security-assistant 8.0.0' to be ready for source-based distros.I think all source-based distro's maintainers including arch one are waiting this too.

[hsntgm]

Hi GVM maintainers & Greenbone Team & Users,

This is the wiki page that i made for gentoo linux. Feel free to update it for newer gvm-11 if you have time. Also all feedbacks are welcome from upstream for missed informations.

Gentoo wiki --> https://wiki.gentoo.org/wiki/Greenbone_Vulnerability_Management @hsntgm
Alpine wiki --> https://wiki.alpinelinux.org/wiki/Setting_up_GVM10 @fcolista

[bjoernricks]

GVM stands for Open Vulnerability Assessment System (OpenVAS)

Could you change that sentence?

Some history background. After the fork from nessus which as called Open Vulnerability Assessment System (OpenVAS) there was only the scanner. Greenbone did add several components in the meanwhile but wasn't very visible. Therefore we decided to rename the "suite" to GVM and use OpenVAS for the scanner only. Therefore OpenVAS became an acronym for Open Vulnerability Assessment Scanner now.

[bjoernricks]

Btw. I would love to establish a communication channel between the packagers from distributions and Greenbone. At https://community.greenbone.net/ we are getting ask a lot of questions which are distribution specific or already fixed but not packaged yet.

[szlin]

@bjoernricks I was swamped with work, so I just started to package the new version of "openvas" in Debian.

I noticed that "openvas-scanner" renamed as "openvas", which causes the conflict issue in Debian, because we already have a "openvas" package [1] which is a dummy package and aims to install all components of "openvas."

I think one of the solution to minimize the impact is to add an alias name "openvas-scanner" to "openvas"

What do you think?

[1] https://packages.debian.org/sid/openvas

[bjoernricks]

I think one of the solution to minimize the impact is to add an alias name "openvas-scanner" to "openvas"

What do you think?

I thought I already wrote something about that but can't find it. For me it would completely fine to stay with openvas-scanner as the package name for http://github.com/greenbone/openvas because it is still the scanner component.