All-
We recently pushed three new libraries to PyPI (stix121, cybox211, and maec411). Each of these libraries is functionally identical to the most recent versions of python-stix 1.2.0.x, python-cybox 2.1.0.x,
and python-maec 4.1.0.x, except that they use OASIS namespaces in XML rather than the MITRE namespaces.
https://pypi.python.org/pypi/stix121 https://pypi.python.org/pypi/maec411 https://pypi.python.org/pypi/cybox211 Currently these are “alpha” releases; we won’t make final releases until the XML schemas for STIX 1.2.1 and CybOX 2.1.1 are approved by the Technical Committee. In the meantime, we hope that people interested
in supporting these versions in Python code will be able to download the alpha versions, try them out, and notify us of any bugs that are found
[In the rest of this email, whenever I refer to a particular version number, I’m referring to python-stix, but the statement holds for the corresponding versions of python-cybox and python-maec as well. ]
There are a couple benefits to this approach:
-
We can start using semantic versioning for these libraries (they all start at 1.0.0).
-
Users who don’t want to update beyond 1.2.0.x won’t accidentally get new versions.
-
Users who want to support 1.2.1 can explicitly update. Code itself does not need to be changed to use stix121; it should still just “import stix” (NOT “import stix121”)
-
The risk of mixing incompatible versions (which has caused a lot of problems recently) is minimized.
A couple caveats:
-
Even though the package is named differently on PyPI, stix121 cannot be installed at the same time as the older “stix” library. Both libraries provide the “stix” package in Python code. The same
is true for cybox211/cybox and maec411/maec. You * can * install the otherwise-conflicting packages in different virtualenvs, however.
-
You cannot mix the old and new versions (i.e. stix121 with cybox, or stix with maec411). The default behavior of pip should do the right thing, but it’s possible to override by explicitly installing
conflicting packages. Don’t do this!
-
The consequence of the previous two points is that you still can’t support multiple versions of STIX in the same code (this has always been true). You can use stix-ramrod to convert back and forth
between 1.2 and 1.2.1, though.
-
I know the READMEs on PyPI need to be updated.
Also, there is not a formal “MAEC 4.1.1” release with OASIS namespaces, since MAEC has not yet been contributed to the TC. However, CybOX content that occurs within MAEC content embedded in STIX should have
OASIS namespaces, which required changes to the MAEC schemas contained within STIX. I realize this is confusing, but it was unavoidable.
If you have any questions, concerns, or other feedback, please let us know.
Thanks,
Greg Back
MITRE