[Openembedded-architecture] Yocto post-release CVE and package uprev policy - openssl, ffmpeg, etc.
Alexander Kanavin
alexander.kanavin at linux.intel.com
Tue Jan 31 12:44:05 UTC 2017
On 01/31/2017 12:08 AM, Randy MacLeod wrote:
> Well, I expected such a reply but hoped to be surprised. It's a
> tough call as a distro maintainer. I wonder if maintainers for other
> major distros would generally have the same concerns about lack of time
> to develop the required expertise or is Yocto different due to lack of
> community participation.
I think it's a bit easier for desktop distros. The upstream developers
have to use some kind of desktop Linux, and then it's natural that they
would be supporting their distro in packaging and updating their code
correctly. Or they would even directly maintain the packaging. Not so
for Yocto; upstreams have no personal incentive to help us.
We do learn some of the upstream code piece-meal, but it's incidental,
and happens when there's a specific task to be solved; for instance I
know almost everything about gobject introspection :) and I can imagine
Jussi knows quite a bit about the parts of gtk+3 that are relevant to
sato desktop. When I'll be updating openssl to 1.1 (in itself a
non-trivial task [1]), I can imagine I'll be more knowledgeable about
the API breakage they caused, and how it should be fixed - but not any
other parts.
[1]
http://lists.openembedded.org/pipermail/openembedded-core/2016-December/130132.html
Alex
More information about the Openembedded-architecture
mailing list