RFC: Add XML output option to 'dnf5 advisories list'

[stewartsmith]

Add an option to output the list of applicable advisories in the same XML format as the updateinfo.xml file in the repository.

This allows tooling to have a consistent machine readable format for getting what advisories apply to a system. Resorting to parsing text output of commands is (naturally) error prone, and designed for humans to look at rather than machines.

Alternatives for these tools include using the APIs of dnf/yum/other-rpm-package-manager, and keeping up with their evolution. For tooling that supports a wide range of distributions and versions, this can become rather onerous, especially across the many different security/patch management products.

With a documented format, we can help these tools get the correct information both on available updates, and what ones are applicable to particular systems. Using the same format these tools need to be able to parse already avoids the need to get multiple parsers correct.

---

One issue I have with this code is that the user needs to pass -q to dnf5 in order to get valid XML on stdout. Even with that, sometimes you get Fedora 40 openh264 (From Cisco) - aarc 100% | 3.1 KiB/s | 990.0 B | 00m00s and similar. Hints on how to avoid this are welcome - I'd prefer to not have to go via a file on disk.

I dislike the --xml-output option name, perhaps a --format=[xml|text|morse-code]? Suggestions welcome.

I'd like feedback on if this should be part of core dnf5 or a plugin. Being part of the core command does mean that third party tools can start relying on it being there rather than needing to also parse text output forever as well.

#1523 is related, as it starts documenting the updateinfo.xml format.

I also intend to backport to https://github.com/rpm-software-management/dnf so this functionality can be added to existing distributions, but wanted feedback here first.

---

Sample output of ./dnf5/dnf5 -q advisory list --xml-output on Fedora 40:
advisory-list.xml.txt

[kontura]

We do have a plan for machine readable output format but we plan to use json: #512 and #867.
Is xml something you require or would you be fine with json?

One issue I have with this code is that the user needs to pass -q to dnf5 in order to get valid XML on stdout. Even with that, sometimes you get Fedora 40 openh264 (From Cisco) - aarc 100% | 3.1 KiB/s | 990.0 B | 00m00s and similar. Hints on how to avoid this are welcome

This appears to be a bug. The -q option should suppress that output. It was discussed here: #1522 (comment)

[stewartsmith]

The main motivation for XML was to match a format that the tools have to parse anyway, avoiding them needing to correctly parse two formats.

The output of "dnf advisories list" may be the first time these tools are learning of a particular advisory. Parsing updateinfo from the repo is useful for a UI to browse and look up advisories, but for what applies to an instance, it needs to come from the instance to ensure all enabled yum repositories on that instance are covered.

Thus, if these are the same formats, it saves some extra code in these tools.

So, while JSON would functionally work, it would mean there's now two formats that must be parsed correctly rather than one.

What are your thoughts on just having --output=text|updateinfoxml|json ?

[stewartsmith]

One of the tools in question is SSM Patch Manager, a widely used AWS service. One benefit of a format with a well defined schema is that any output deviating from that schema can be alarmed on.

[stewartsmith]

With #1531 merged, I'm going to close this PR as agreement has been reached on JSON, and the code ends up being a bunch simpler.